1

I have a javascript application running on nodejs. It reads stdin to take a username and password to access some online services.

These credentials stays in variables the whole time the application is running (24/7) in case a relogin is required.

Is it possible for someone who gets access to the server to "debug" the application and obtain those variables the same way a person can do in a browser? or any other way.

I still have little to no understanding of the internals working of node.

EDIT: The application is running on a Docker container!

Improve this question

1 Answer 1

Reset to default
0

It depends on the server. If they have root or Administrator privelages there are a variety of ways they could potentially gain access, up to and including reading them straight out of ram. If they are on a standard account, you are probably more safe so long as they are not running on the same account as your app. It is always a possibility, but you can minimize the risk by using a seperate account, limiting OS user access to the machine, and encrypting your credentials at the very least. Also be sure permissions are set so they cant write or read the apps code, and if they aren't supposed to execute it, block that as well. As to debugging Node, it is my understanding you have to explicitly run it in debug mode. But there are other ways for sure, so it is best to limit access, especially physical access to the server, and use encryption. Even better if you can offload those credentials in encrypted form and clear out any variables that were holding them.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

@Aus 1. One must assume the attacker will gain root/Administrator privileges. 2. Setup two-factor authentication to the server.
@zaph I edited the question, it is running on a Docker container, I didn't know it was relevant.
It is running on Docker, I'm reading on using "node" user instead of the default root.
If the attacker gets root, and your creds are in memory without encryption then you are pwned. This is why you should use heavy encryption, and not store credentials in memory on the server if you can help it. If you need to, it is better to store them on the client, and give them the option whether they want to store their creds or not. You could also use two-party login using OAuth, Facebook, Google, etc. or use the browsers password storage mechanism.
Thank you, I configured a firewall, 2 factor auth on that machine and run node with non-sudoer user. I can use OAuth in my application to access the online services but I have to look after the authentication token instead.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.