10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
A Developer and Security Engineer friendly package for Securing NodeJS Applications.
Inspired by the log4J vulnerability (CVE-2021-44228) which can be exploited because an application can make arbitrary network calls.
We felt there is an need for an application to declare what privileges it can have so that exploitation of such vulnerabilities becomes harder.
To achieve this, NSS (Node Security Shield) hasResource Access Policy.
Resource Access Policy is similar toCSP(Content Security Policy).
It lets the developer/security engineer declare what resources an application should access. And Node Security Shield will enforce it.
Install Node Security Shield using npm
npm install nodesecurityshield
// Require Node Security Shield
let nodeSecurityShield = require('nodesecurityshield');
// Enable Attack Monitoring and/or Blocking
nodeSecurityShield.enableAttackMonitoring(resourceAccessPolicy ,callbackFunction);
Sample resourceAccessPolicy
const resourceAccessPolicy = {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
};
Sample callbackFunction for Attack Monitoring
var callbackFunction = function (violationEvent) {
console.log(violationEvent);
}
Sample callbackFunction for Attack Blocking
var callbackFunction = function (violationEvent) {
throw new Error("Request Blocked. It violates declared Resource Access Policy.")
}
Sample violationEvent
{
"violationtType": "Outbound Request",
"message": "Outbound request to 'www.malicious.com' violates declared 'Resource Access Policy (RAP)'.",
"policy": {
"outBoundRequest" : {
"blockedDomains" : ["*.123.com", "stats.abc.com", 'xyz.com'],
"allowedDomains" : ["*.domdog.io"]
}
}
Sample callbackFunction to integrate with Sentry
var callbackFunction = function (violationEvent) {
var e = new Error();
e.name = 'Resource Access Policy Violation';
e.message = JSON.stringify(violationEvent);
Sentry.captureException(e);
}
Screenshot from Sentry dashboard
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%