Abstract
Node.js is a novel event-based network application platform which forces developers to use asynchronous programming interfaces for I/O operations. The native language for developing applications on this platform is JavaScript. Despite its young age the platform has attracted a significant community of developers and gained support from the industry. The Node.js community generally has a strong focus on the scalability of the platform but little research has been done on how the platform’s design decisions affect the security of its applications. This paper outlines several possible security pitfalls to be aware of when using Node.js platform and server side JavaScript. We also describe two discovered vulnerabilities and give recommendations for developing and configuring resilient web applications on the Node.js platform.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Joyent, Inc.: Node.js homepage, http://nodejs.org/
White, A.: JavaScript Programmer’s Reference. John Wiley & Sons (2010)
Google, Inc.: V8 JavaScript Engine, http://code.google.com/p/v8/
Schlueter, I.Z.: The Node Package Manager and Registry, https://npmjs.org/
Richards, G., Hammer, C., Burg, B., Vitek, J.: The Eval That Men Do: A Large-Scale Study of the Use of Eval in JavaScript Applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011)
Cardy, J.: A Collection of JavaScript Gotchas (2011), http://www.codeproject.com/Articles/182416/A-Collection-of-JavaScript-Gotchas
Schlueter, I.Z.: npm scripts, http://npmjs.org/doc/scripts.html
Corry, E., Hansen, C.P., Nielsen, L.R.H.: Irregexp, Google Chrome’s New Regexp Implementation (2009), http://blog.chromium.org/2009/02/irregexp-google-chromes-new-regexp.html
Hazel, P.: PCRE – Perl Compatible Regular Expressions, http://pcre.org/
Cox, R.: Regular expression matching can be simple and fast (2007), http://swtch.com/~rsc/regexp/regexp1.html
Manico, J., Weidman, A.: OWASP Podcast 56 (ReDoS) (2009), http://www.owasp.org/index.php/Podcast_56
Sullivan, B.: Regular expression denial of service attacks and defenses. MSDN Magazine 25(5), 82–85 (2010)
O’Hara, C.: node-validator, https://github.com/chriso/node-validator
Wegner, J.: Why Node.JS? Security, http://www.wegnerdesign.com/blog/why-node-js-security/
Holowaychuk, T.J.: Connect – a middleware layer for Node.js, https://github.com/senchalabs/connect
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ojamaa, A., Düüna, K. (2012). Security Assessment of Node.js Platform. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-35130-3_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35129-7
Online ISBN: 978-3-642-35130-3
eBook Packages: Computer ScienceComputer Science (R0)