BT

Your opinion matters! Please fill in the InfoQ Survey!

Node Security Project Aims at Making Node.js More Secure

| by Sergio De Simone Follow 6 Followers on Jun 25, 2014. Estimated reading time: 1 minute |

A note to our readers: As per your request we have developed a set of features that allow you to reduce the noise, while not losing sight of anything that is important. Get email and web notifications by choosing the topics you are interested in.

Node Security Project has been quietly working at improving Node.js security for a few months now. The project has the goal of auditing Node.js existing module base to help "improve Node landscape and provide confidence to developers and enterprises about the state of security in Node.js land."

The project plans to perform this audit in a distributed way through a ticketing system that will provide the backbone for handling advisories, issues and pull requests so that modules can get fixed through Node's community help.

One of the main security concerns about Node.js comes from the possibility of server-side JavaScript injection (SSJS injection), similar to cross-site JavaScript injection. Bryan Sullivan, Senior Security Researcher at Adobe, has published a paper explaining some of the attacks that SSJS injection makes possible and the risks apps and data are exposed to.

It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests.

As blogger \0/ bish \0/, who defines himself a security enthusiast, writes, there is a combination of factors in Node.js that developers should be particularly aware of. The first one is the presence of eval, "that can be trivially exploited to do server side injection". Another is "the event driven single threaded programming model" so that "a simple error can create a denial of service condition". He also adds that "to be safe, anti-patterns like implied globals, with, eval, should be avoided." \0/ bish \0/ also shows in his post a few, incorrect ways that using those language features may lead to exploits.

Thus, it is not that Node.js is intrinsically a less secure technology than others, since the dangers mentioned above are also present in other widely used server-side languages. Rather, as Adam Baldwin says in an interview to Modulus, it is a matter of raising developers awareness of security concerns that affect the Node platform:

The Node Security Project is an effort to change the way we approach security within the node community, a focused effort to evangelize security principles, audit modules created by the community, and publish the results.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT