External Penetration Testing and Meteor Apps

chafey · 2019-06-05T14:32:54.760Z

Does anyone know of a vendor that specializes in external penetration testing for meteor apps? I would like one that knows how to look for vulnerabilities in the Meteor DDP web socket (subscribe, call, etc). Thanks

vooteles · 2019-06-05T15:01:34.030Z

You might want to contact @pcorey with this question. Not sure if he can help, but worth a shot. www.petecorey.com should provide some background info.

veered · 2019-06-05T22:58:09.679Z

@pcorey wrote this book on Meteor security: https://www.securemeteor.com/#buy

It’s pretty awesome!

pcorey · 2019-06-06T16:22:06.000Z

Thanks Lucas!

I’ve offered these kinds of security assessments in the past, but I don’t do that anymore, unfortunately. Secure Meteor is basically my brain dump of everything I know about securing Meteor applications, and how I’d apply that knowledge during an assessment.

Sadly, I also don’t really know of any security professionals, pen testers, etc… who focus on Meteor security. I know that ^Lift Security has done a lot of work with Meteor, but they’ve also been acquired by NPM. I’m not sure how active they are in the area anymore. I’ve also seen people like Sam Sun and Juho Hietala report vulnerabilities on Meteor projects, but I’ve never worked with them, can’t personally vouch for them, and don’t even know if they’re open to new work.

TL;DR - I personally don’t know of anyone, sorry.

mikkelking · 2019-06-08T12:37:05.901Z

I have used ZAP (open source) against Meteor apps before, and found very few problems, often the problems are with third party services that are not 100% secure.

Do you want to check that your Meteor methods are denying access under the right conditions? If so, is that just integration tests rather than pen tests?

chafey · 2019-06-10T15:12:31.413Z

We have integration tests, etc - but our customer wants an external entity to test the system - unfortunately most don’t know how to test the ddp connection