Posted by I’m still developing my game Ellas War during my free time. The first versions were in PHP and I have learned own to use NodeJS during the development of this new version (also called EWnext). My code is far from the perfection but I think I built some thing stable and performant.
This project has also been the occasion to learn new things and security has always been one of my main concerns. I’m isolating my micro-services with Kubernetes, but my code was asking for protection too. Most of the NodeJS scanners are made to detect vulnerabilities in the dependencies, that’s interesting but the code is also important. Few weeks ago, I have discovered Njsscan, a free project that allows to scan your code to detect problems. The recommendations are based on the OWASP project.
We will use this tool of some of my projects, and comment the results
How to run it?
When I try a new tool, I prefer to use Docker images. It’s usually easier, and I’m sure to have the latest version. A report will be produced, with information about the problem and sometimes how to fix it.
docker pull opensecurity/njsscan:latest
#cd to your project's directory
docker run -v $(pwd):/src opensecurity/njsscan:latest /srcReport analyze
The generated report is grouped by rule, with information about each problem detected.
Good points
Math.random()This function is cryptographically weak. I use it mostly for the battles inside of the game, but always interesting to generate valid random numbers.
var hash = crypto.createHash('md5').update(string).digest('hex');Risky Cryptographic Algorithms are well detected. Could be good to have links to solutions.
res.redirect(301, '/profile/'+req.query.playerid);We use directly a parameter from the query to do a redirection. The parameter could have been cleaned, but I have modified all my functions to use the result instead.
if(hash == stored_password) {This is I think the most interesting error. Direct comparison are is vulnerable to timing attacks. The recommendation is to use a Xor between the string and to check if the result is zero.
Bad points
var sql = 'SELECT username FROM member WHERE id='+id;
var sql; sql = 'SELECT username FROM member WHERE id='+id;The SQL injection detection is not reliable at all. The first line will return an error, but not the second. I’m also sure that the parameters are not verified.
var res = {
'username':''
}Hard coded values are detected, that can be useful but most of the time its based on the variable’s name. The easiest way to avoid false positives is to use a temporary variable.
Conclusion
Njsscan is an interesting tool but not complete enough to be indispensable. I will continue to use it, a good security is composed by many layers and checks. If you have an alternative to suggest, please leave a message.