Below you'll find a sample chapter from Secure Meteor; a guide to help you learn the ins and outs of securing your Meteor application from a Meteor security professional. If you like what you read and you're interested in securing your Meteor application, be sure to read the entire book!
This book revolves around the premise that we’ve build out an e-commerce application using Meteor. Before we go live with our new application, we decide to take off our developer hats and put on our attacker hats in order to see our application through new eyes. We’ll explore the varied attack surface of our application to discover how holes in this surface can be exploited for fun and profit, and how to shore up those vulnerabilities to make a more secure application.
We’ll start where things usually start: in the beginning. The Meteor framework makes certain decisions and tradeoffs when creating a new project that you need to be aware of when developing a secure application.
We’ll move on from there by poking at the authentication and authorization mechanisms at play in our application. Are they enough to prevent an attacker from doing anything harmful to our application or our users? If we’ve left any holes in our defenses, how do we fortify them?
Next, we’ll dive into the vast world of “checking” user-provided data, and the consequences that fall out of making unfounded assumptions about that data. We’ll explore the vast and varied world of NoSQL Injection in these sections, so be sure to pay close attention!
After we move on from exploiting NoSQL Injection vulnerabilities in our data layer, we’ll dive into security concerns relating specifically to Meteor publications, HTTP endpoints, and collection validators.
After giving the back-end so much attention, we’ll shift our focus to the front-end of our application. We’ll go over the potential dangers of an isomorphic codebase and discuss why it’s always vitally important to know where your code is running. Finally we’ll move our attention to the dangers that exist in the front-end of our application by going over topics like Cross Site Scripting and Cross Site Request Forgery.
Many of the examples discussed in this book assume that a would-be attacker has some intimate knowledge with the inner workings of your application. The last section of Secure Meteor demonstrates how this information can be teased out of your application itself with some basic sleuthing by a knowledgable attacker.