External Penetration Testing and Meteor Apps

Does anyone know of a vendor that specializes in external penetration testing for meteor apps? I would like one that knows how to look for vulnerabilities in the Meteor DDP web socket (subscribe, call, etc). Thanks

1 Like

You might want to contact @pcorey with this question. Not sure if he can help, but worth a shot. www.petecorey.com should provide some background info.

2 Likes

@pcorey wrote this book on Meteor security: https://www.securemeteor.com/#buy

It’s pretty awesome!

2 Likes

Thanks Lucas!

I’ve offered these kinds of security assessments in the past, but I don’t do that anymore, unfortunately. Secure Meteor is basically my brain dump of everything I know about securing Meteor applications, and how I’d apply that knowledge during an assessment.

Sadly, I also don’t really know of any security professionals, pen testers, etc… who focus on Meteor security. I know that ^Lift Security has done a lot of work with Meteor, but they’ve also been acquired by NPM. I’m not sure how active they are in the area anymore. I’ve also seen people like Sam Sun and Juho Hietala report vulnerabilities on Meteor projects, but I’ve never worked with them, can’t personally vouch for them, and don’t even know if they’re open to new work.

TL;DR - I personally don’t know of anyone, sorry. :frowning:

2 Likes

I have used ZAP (open source) against Meteor apps before, and found very few problems, often the problems are with third party services that are not 100% secure.

Do you want to check that your Meteor methods are denying access under the right conditions? If so, is that just integration tests rather than pen tests?

We have integration tests, etc - but our customer wants an external entity to test the system - unfortunately most don’t know how to test the ddp connection

Bumping this as this is important for enterprise use/adoption. Did you manage to find a vendor that specialises in Meteor pentesting?

Maybe we start some pen test suite based on the book and additional information. Wdyt?

4 Likes

I think any pen testing firm with a web focus will do. In the end DDP is only a small/easy websocket protocol like so many others. And things like noSQL injections are also not unique to Meteor. We had multiple Meteor apps pen tested by multiple companies without prior Meteor specific experience, but that didn’t pose any problems.

5 Likes