Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Node Security Project Aims at Making Node.js More Secure

Node Security Project Aims at Making Node.js More Secure

This item in japanese

Node Security Project has been quietly working at improving Node.js security for a few months now. The project has the goal of auditing Node.js existing module base to help "improve Node landscape and provide confidence to developers and enterprises about the state of security in Node.js land."

The project plans to perform this audit in a distributed way through a ticketing system that will provide the backbone for handling advisories, issues and pull requests so that modules can get fixed through Node's community help.

One of the main security concerns about Node.js comes from the possibility of server-side JavaScript injection (SSJS injection), similar to cross-site JavaScript injection. Bryan Sullivan, Senior Security Researcher at Adobe, has published a paper explaining some of the attacks that SSJS injection makes possible and the risks apps and data are exposed to.

It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests.

As blogger \0/ bish \0/, who defines himself a security enthusiast, writes, there is a combination of factors in Node.js that developers should be particularly aware of. The first one is the presence of eval, "that can be trivially exploited to do server side injection". Another is "the event driven single threaded programming model" so that "a simple error can create a denial of service condition". He also adds that "to be safe, anti-patterns like implied globals, with, eval, should be avoided." \0/ bish \0/ also shows in his post a few, incorrect ways that using those language features may lead to exploits.

Thus, it is not that Node.js is intrinsically a less secure technology than others, since the dangers mentioned above are also present in other widely used server-side languages. Rather, as Adam Baldwin says in an interview to Modulus, it is a matter of raising developers awareness of security concerns that affect the Node platform:

The Node Security Project is an effort to change the way we approach security within the node community, a focused effort to evangelize security principles, audit modules created by the community, and publish the results.

Rate this Article