External Penetration Testing and Meteor Apps

chafey · June 5, 2019, 2:32pm

Does anyone know of a vendor that specializes in external penetration testing for meteor apps? I would like one that knows how to look for vulnerabilities in the Meteor DDP web socket (subscribe, call, etc). Thanks

vooteles · June 5, 2019, 3:01pm

You might want to contact @pcorey with this question. Not sure if he can help, but worth a shot. www.petecorey.com should provide some background info.

veered · June 5, 2019, 10:58pm

@pcorey wrote this book on Meteor security: https://www.securemeteor.com/#buy

It’s pretty awesome!

pcorey · June 6, 2019, 4:22pm

Thanks Lucas!

I’ve offered these kinds of security assessments in the past, but I don’t do that anymore, unfortunately. Secure Meteor is basically my brain dump of everything I know about securing Meteor applications, and how I’d apply that knowledge during an assessment.

Sadly, I also don’t really know of any security professionals, pen testers, etc… who focus on Meteor security. I know that ^Lift Security has done a lot of work with Meteor, but they’ve also been acquired by NPM. I’m not sure how active they are in the area anymore. I’ve also seen people like Sam Sun and Juho Hietala report vulnerabilities on Meteor projects, but I’ve never worked with them, can’t personally vouch for them, and don’t even know if they’re open to new work.

TL;DR - I personally don’t know of anyone, sorry.

mikkelking · June 8, 2019, 12:37pm

I have used ZAP (open source) against Meteor apps before, and found very few problems, often the problems are with third party services that are not 100% secure.

Do you want to check that your Meteor methods are denying access under the right conditions? If so, is that just integration tests rather than pen tests?

chafey · June 10, 2019, 3:12pm

We have integration tests, etc - but our customer wants an external entity to test the system - unfortunately most don’t know how to test the ddp connection

drew · November 23, 2019, 4:38am

Bumping this as this is important for enterprise use/adoption. Did you manage to find a vendor that specialises in Meteor pentesting?

jkuester · November 23, 2019, 3:10pm

Maybe we start some pen test suite based on the book and additional information. Wdyt?

seba · November 23, 2019, 6:35pm

I think any pen testing firm with a web focus will do. In the end DDP is only a small/easy websocket protocol like so many others. And things like noSQL injections are also not unique to Meteor. We had multiple Meteor apps pen tested by multiple companies without prior Meteor specific experience, but that didn’t pose any problems.

dokithonon · January 6, 2020, 7:40pm

Hello,
We did contact this company for penetration tests (and other type of tests : firewall) for our meteor app : https://www.seculting.ch . Our app is used by industrial customers and this was a request from them. They need access to your code base and a cloned server (that they will try to hack). If you tell them that you want to focus the pen test on DDP they will do it.