跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(78) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) ChatGPT(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) RAG(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 智能体(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) kafka(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) RAG架构(3) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)

Contents

Tools

Web Framework Hardening

  • Helmet - Helmet helps you secure your Express apps by setting various HTTP headers.
  • koa-helmet - koa-helmet helps you secure your Koa apps by setting various HTTP headers.
  • blankie - CSP plugin for hapi.
  • fastify-helmet - fastify-helmet helps you secure your fastify apps by setting important secutiry headers.

Static Code Analysis

  • eslint-plugin-security - ESLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
  • tslint-plugin-security - TSLint rules for Node Security. This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
  • safe-regex - detect potentially catastrophic exponential-time regular expressions by limiting the star height to 1.
  • vuln-regex-detector - This module lets you check a regex for vulnerability. In JavaScript, regular expressions (regexes) can be "vulnerable": susceptible to catastrophic backtracking. If your application is used on the client side, this can be a performance issue. On the server side, this can expose you to Regular Expression Denial of Service (REDOS).
  • git-secrets - Prevents you from committing secrets and credentials into git repositories.
  • DevSkim - DevSkim is a set of IDE plugins and rules that provide security "linting" capabilities. Also has support for CLI so it can be integrated into CI/CD pipeline.
  • ban-sensitive-files - Checks filenames to be committed against a library of filename rules to prevent storing sensitive files in Git. Checks some files for sensitive contents (for example authToken inside .npmrc file).
  • NodeJSScan - A static security code scanner for Node.js applications. Including neat UI that can point where the issue is and how to fix it.
  • Nsecure - Node.js CLI that allow you to deeply analyze the dependency tree of a given npm package or a directory.
  • Trust But Verify - TBV compares an npm package with its source repository to ensure the resulting artifact is the same.
  • lockfile-lint - lint lockfiles for improved security and trust policies to keep clean from malicious package injection and other insecure configurations.
  • pkgsign - A CLI tool for signing and verifying npm and yarn packages.
  • semgrep - Open-source, offline, easy-to-customize static analysis for many languages. Some others on this list (NodeJSScan) use semgrep as their engine.
  • npm-scan - An extensible, heuristic-based vulnerability scanning tool for installed npm packages.
  • js-x-ray - JavaScript and Node.js SAST scanner capable of detecting various well-known malicious code patterns (Unsafe import, Unsafe stmt, Unsafe RegEx, encoded literals, minified and obfuscated codes).
  • cspscanner - CSP Scanner helps developers and security experts to easily inspect and evaluate a site’s Content Security (CSP).
  • eslint-plugin-anti-trojan-source - ESLint plugin to detect and prevent Trojan Source attacks from entering your codebase.

Dynamic Application Security Testing

  • PurpleTeam - A security regression testing SaaS and CLI, perfect for inserting into your build pipelines. You don’t need to write any tests yourself. purpleteam is smart enough to know how to test, you just need to provide a Job file which tells purpleteam what you want tested.

Input Validation & Output Encoding

  • node-esapi - node-esapi is a minimal port of the ESAPI4JS (Enterprise Security API for JavaScript) encoder.
  • escape-html - Escape string for use in HTML.
  • js-string-escape - Escape any string to be a valid JavaScript string literal between double quotes or single quotes.
  • validator - An npm library of string validators and sanitizers.
  • xss-filters - Just sufficient output filtering to prevent XSS!
  • DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
  • envalid - Envalid is a small library for validating and accessing environment variables in Node.js.

Secure Composition

CSRF

  • csurf - Node.js CSRF protection middleware.
  • crumb - CSRF crumb generation and validation for hapi.
  • fastify-csrf - A plugin for adding CSRF protection to fastify.

Vulnerabilities and Security Advisories

  • npq - Safely install packages with npm or yarn by auditing them as part of your install process.
  • snyk - Snyk helps you find, fix and monitor known vulnerabilities in Node.js npm, Ruby and Java dependencies, both on an ad hoc basis and as part of your CI (Build) system.
  • node-release-lines - Introspection API for Node.js release metadata. Provides information about release lines, their relative status along with details of each release.
  • auditjs - Audits an NPM package.json file to identify known vulnerabilities using the OSSIndex.
  • npm-audit - Runs a security audit based on your package.json using npm.
  • npm-audit-resolver - Manage npm-audit results, including options to ignore specific issues in clear and auditable way.
  • gammaray - Runs a security audit based on your package.json using the Node.js Security Working Group vulnerability data.
  • patch-package - Allows app authors to create fixes for npm dependencies (in node_modules) without forking or waiting for merged PRs, by creating and applying patches.
  • check-my-headers - Fast and simple way to check any HTTP Headers.
  • is-website-vulnerable - finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
  • joi-security - Detect security flaws in Joi validation schemas.
  • confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems. See Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies for reference on the reasoning for this tool.

Security Hardening

  • snync - Mitigate security concerns of Dependency Confusion supply chain security risks.
  • NopPP - No Prototype Pollution - Tiny helper to protect against Prototype Pollution vulnerabilities in your application regardless if they introduced in your own code or in 3rd-party code.
  • anti-trojan-source - Detect trojan source attacks that employ unicode bidi attacks to inject malicious code.
  • express-limiter - Rate limiting middleware for Express applications built on redis.
  • limits - Simple express/connect middleware to set limit to upload size, set request timeout etc.
  • rate-limiter-flexible - Fast, flexible and friendly rate limiter by key and protection from DDoS and brute force attacks in process Memory, Cluster, Redis, MongoDb, MySQL, PostgreSQL at any scale. Express and Koa examples included.
  • tor-detect-middleware Tor detect middleware for express
  • express-enforces-ssl Enforces SSL for Express based Node.js projects. It is however highly advised that you handle SSL and global HTTP rules in a front proxy.
  • bourne JSON.parse() drop-in replacement with prototype poisoning protection.
  • fastify-rate-limit A low overhead rate limiter for your routes.
  • secure-json-parse JSON.parse() drop-in replacement with prototype poisoning protection.
  • express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.
  • allowed-scripts Execute allowed npm install lifecycle scripts.

Security Incidents

Collection of security incidents that happened in the Node.js, JavaScript and npm related communities with supporting articles:

Date Name Reference Links
2022 May 26 stolen oAuth GitHub tokens lead to npm security breach, compromised user accounts metadata, private packages, and plain-text passwords in logs GitHub
2022 May 24 malicious npm packages exploiting dependency confusion attacks SnykSnyk
2022 May 23 npm packages hijacked due to expired domains TheRegister
2022 March 31 More protestware from styled-components Checkmarx Security blog
2022 March 18 More protestware from es5-ext and event-source-pollyfill Snyk advisory for event-source-pollyfilles5-ext commitArsTechnica
2022 March 16 peacenotwar module sabotages npm developers in the node-ipc package to protest the invasion of Ukraine Snyk blogDarkreadingSC Magazine
2022 March 7 Malicious packages caught exfiltrating data via legit webhook services Checkmarx Security blog
2022 February 22 25 Malicious JavaScript Libraries due to typosquatting attacks TheHackerNews
2022 February 11 2,818 npm accounts use email addresses with expired domains TheRecord
2021 December 08 17 JavaScript libraries contained malicious code to collect and steal Discord access tokens and environment variables from users’ computers - TheRecord
2021 November 04 coa and rc packages - Popular npm library 'coa' was hijacked today with malicious code injected into it, ephemerally impacting React pipelines around the world Bleepingcomputerthe recordnpm tweetnpm tweet for rc.
2021 October 27 noblox.js-proxy and noblox.js - typosquatted npm package that target users of official roblox API and SDK npm package (noblox.js) the register
2021 October 22 ua-parser-js - Versions of a popular NPM package named ua-parser-js was found to contain malicious code Cybersecurity and Infrastructure Security Agency (CISA)github issueIOCsportswiggertheregister
2021 September 02 pac-resolver - can enable threat actors on the local network to run arbitrary code within your Node.js process whenever it attempts to make an HTTP request arstechnica.com
2021 August 07 npm package ownership process firing back and exposing potential vectors for supply chain security risks. Twitter
2021 April 13 New Linux, macOS malware hidden in fake Browserify NPM package: web-browserify Bleepingcomputer.
2020 December 02 jdb.js - db-json.js - malicious npm packages caught installing remote access trojans. zdnet.comBleepingcomputer.
2020 November 09 discord malicious npm package - Npm package caught stealing sensitive Discord and browser files sonatypezdnet.
2020 November 03 twilio-npm - malicious npm package opens backdoors on programmers' computers. zdnet
2020 August 29 fallguys - malicious package stealing sensitive files. zdnet
2020 April 27 is-promise - one-liner library breaks an ecosystem. Forbes Lindesay - Maintainer post-mortemsnyk's postmortem
2019 August 22 bb-builder - malicious package targeting Windows systems to exfiltrate information and send to a remote service. SnykReversing LabsBleeping Computer
2019 June 05 EasyDEX-GUI - malicious code found in npm package event-stream. npmsnykkomodo announcement
2018 November 27 event-stream - malicious code found in npm package event-stream. github issue snyksnyk's postmortemschneidintrinsicnpmjaydenhillel wayne's postmortem
2018 July 12 eslint - malicious packages found in npm package eslint-scope and eslint-config-eslint. github issueeslint tweeteslint's postmortemnodesource's postmortemnpm's statement
2018 May 02 getcookies - malicious package getcookies gets embedded in higher-level express related packages. GitHub issuenpmbleepingcomputer.comSnyk’s getcookies vulnerability pageHacker News
2017 August 02 crossenv - malicious typosquatting package crossenv steals environment variables. CJ blog on typosquat packagesTyposquatting research paperbleepingcomputer.comSnyk’s crossenv vulnerability pageHacker News
2016 March 22 left-pad - how one developer broke Node, Babel and thousands of projects in 11 lines of JavaScript. left-pad.ioThe Registerqurtaz.

Follow-up notes:

  • A resource for malicious incidents is BadJS - a repository of malicious JavaScript that has been found in websites, extensions, npm packages, and anywhere else JavaScript lives.
  • npm zoo is an archive keeping track of the original malicious packages source code for educational purposes.

Educational

Hacking Playground

  • OWASP NodeGoat - The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
  • OWASP Juice Shop - The OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
  • DomGoat - Client XSS happens when untrusted data from sources ends up in sinks. Information and excercises on different sources, different sinks and example of XSS occuring due to them in the menu on the left-hand side.

Articles

Research Papers

Books

Companies

  • Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies.
  • Sqreen - Automated security for your web apps - real time application security protection.
  • Intrinsic - Intrinsic secures your sensitive data from bugs and malicious code, allowing you to run all code safely.
  • NodeSource - Mission-critical Node.js applications. Provides N|Solid and Node Certified Modules.
  • GuardRails - A GitHub App that gives you instant security feedback in your Pull Requests.
  • NodeSecure - An organization of developers building free and open source JavaScript/Node.js security tools.

原文:https://github.com/lirantal/awesome-nodejs-security