Secure Meteor

Learn the ins and outs of Meteor application security from a Meteor security professional.

What's in the book?

Secure Meteor puts you in the shoes of both a Meteor developer building out an e-commerce application with our favorite framework, and a malicious user trying to find and exploit vulnerabilities in that application for fun and profit.

Securing your application is more than following a prescriptive list of dos and don’ts. Being able to build secure Meteor applications requires a mindset that deeply and intuitively understands potential attacks before they happen. My ultimate goal with this guide is to help you see your application through this mindset.

As you can see from its table of contents below, Secure Meteor attempts to cover the entire attack surface of your Meteor application, from the front-end to the back. Read through the provided sample chapters for a taste of what's inside!

• About This Book
• Why Security?
• Why Now?
• How Is This Book Organized?
• Insecure Defaults
  • Insecure and Autopublish
  • Writes to Profile
• Authentication and Authorization
  • Missing User Checks
  • Always Use Trusted Fields
• Checking Arguments
  • Partial Checks
  • Always Check Your Arguments
• NoSQL Injection
  • NoSQL Injection Across Query Types
    • Remove Queries
    • Single Update Queries
    • Multi-Update Queries
    • Find Queries
    • Find-One Queries
    • Insert Queries
    • Upsert Queries
  • Advanced NoSQL Injection
    • Incrementing Your Way to Admin Rights
    • Renaming Your Way to Admin Rights
    • Hanging Your Database with a Query
• Securing Publications
  • Improperly Invalidated Publications
  • NoSQL Injection in Publications
• Securing Endpoints
  • The Danger of Uncaught Exceptions
  • Exposed Web Hook Endpoints
  • Endpoint Authentication
    • Authenticating with HMACs
    • Autehnticating with Meteor Tokens
• Securing Collection Validators
  • Writing Comprehensive Allow Rules is Hard
  • NoSQL Injection Through Modifiers
  • Multiple Allows and Denies
  • Collection Validators and Server-side Operations
• Always Remember Where Your Code Runs
  • Sleuthing for Leaking Secrets
  • Exploiting User Creation Options
• Securing the Client
  • The Dangers of Cross Site Scripting
  • Cross Site Scripting through Third Party Libraries
  • On Cross Site Request Forgery
• Dependencies
  • A Vulnerable Meteor Package
  • A Vulnerable Node Package
• First Encounter
  • Finding Methods
  • A Note on “Validated Methods”
  • Finding Collection Validators
  • Finding Publications
  • Finding Exposed Secrets
  • Finding Dependencies
• Limit Your Assumptions

Have More Questions?

Pulling the trigger on a purchase is always a difficult step to take. If you're still on the fence about purchasing Secure Meteor, I highly recommend reading the Why Security? sample chapter and skimming through these frequently asked questions:

Is Secure Meteor affiliated with the Meteor framework or MDG? No. Secure Meteor is an entirely independent project.

Is Secure Meteor a physical book? No. Secure Meteor is being sold exclusively as a PDF document.

What if I don't find Secure Meteor valuable? If you regret your purchase of Secure Meteor for any reason, I'll happily issue a full refund.