Node Security Shield: Securing NodeJS Applications

Node Security Shield

Node Security Shield (NSS) is a Developer and Security Engineer friendly module for Securing NodeJS Applications by allowing developers to declare what resources an application can access.

NSS is an Open source Runtime Application Self-Protection (RASP) tool and aims at bridging the gap for comprehensive NodeJS security.

Inspired by the log4J vulnerability (CVE-2021-44228) which can be exploited because an application can make arbitrary network calls.

We felt there is a need for an application to declare what privileges it can have so that exploitation of such vulnerabilities becomes harder.

To achieve this, NSS (Node Security Shield) has Resource Access Policy.

Resource Access Policy (RAP)

Resource Access Policy is similar to CSP(Content Security Policy).

It lets the developer/security engineer declare what resources an application should access. And Node Security Shield will enforce it.

Features

• Attack Monitoring
  • Outbound Network Calls
• Attack Blocking
  • Outbound Network Calls

Roadmap

• Attack Monitoring
  • Command Execution
  • File Calls
• Attack Blocking
  • Command Execution
  • File Calls
• Vulnerability Scanner

Install

Install Node Security Shield using npm

npm install nodesecurityshield

Use

// Require Node Security Shield

let nodeSecurityShield = require('nodesecurityshield');



// Enable Attack Monitoring and/or Blocking

nodeSecurityShield.enableAttackMonitoring(resourceAccessPolicy ,callbackFunction);

Sample resourceAccessPolicy

const resourceAccessPolicy  = {

  "outBoundRequest" : {

          "blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],

          "allowedDomains" : ["*.domdog.io"]

      }

};

• Note: blockedDomains holds precedence over allowedDomains.
• i.e., requests checked against blockedDomains first then allowedDomains.

Sample callbackFunction for Attack Monitoring

var callbackFunction = function (violationEvent) {

  console.log(violationEvent);

}

Sample callbackFunction for Attack Blocking

var callbackFunction = function (violationEvent) {

    throw new Error("Request Blocked. It violates declared Resource Access Policy.")

}

Sample violationEvent

{

 "violationtType": "Outbound Request",

 "message": "Outbound request to 'www.malicious.com' violates declared 'Resource Access Policy (RAP)'.",

 "policy": {

  "outBoundRequest" : {

          "blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],

          "allowedDomains" : ["*.domdog.io"]

      }

}

Integrating with Sentry

Sample callbackFunction to integrate with Sentry

var callbackFunction = function (violationEvent) {

  

  var e = new Error();

  e.name = 'Resource Access Policy Violation';

  e.message = JSON.stringify(violationEvent);

  Sentry.captureException(e);



}

Copyright (C) 2022 Lavakumar Kuppan & Sukesh Pappu

Source: https://github.com/DomdogSec/