BT

Node Security Project Aims at Making Node.js More Secure

by Sergio De Simone on Jun 25, 2014 |

Node Security Project has been quietly working at improving Node.js security for a few months now. The project has the goal of auditing Node.js existing module base to help "improve Node landscape and provide confidence to developers and enterprises about the state of security in Node.js land."

The project plans to perform this audit in a distributed way through a ticketing system that will provide the backbone for handling advisories, issues and pull requests so that modules can get fixed through Node's community help.

One of the main security concerns about Node.js comes from the possibility of server-side JavaScript injection (SSJS injection), similar to cross-site JavaScript injection. Bryan Sullivan, Senior Security Researcher at Adobe, has published a paper explaining some of the attacks that SSJS injection makes possible and the risks apps and data are exposed to.

It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests.

As blogger \0/ bish \0/, who defines himself a security enthusiast, writes, there is a combination of factors in Node.js that developers should be particularly aware of. The first one is the presence of eval, "that can be trivially exploited to do server side injection". Another is "the event driven single threaded programming model" so that "a simple error can create a denial of service condition". He also adds that "to be safe, anti-patterns like implied globals, with, eval, should be avoided." \0/ bish \0/ also shows in his post a few, incorrect ways that using those language features may lead to exploits.

Thus, it is not that Node.js is intrinsically a less secure technology than others, since the dangers mentioned above are also present in other widely used server-side languages. Rather, as Adam Baldwin says in an interview to Modulus, it is a matter of raising developers awareness of security concerns that affect the Node platform:

The Node Security Project is an effort to change the way we approach security within the node community, a focused effort to evangelize security principles, audit modules created by the community, and publish the results.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT