Skip to main content
SpringerLink
Log in

Security Assessment of Node.js Platform

  • Conference paper
Book cover Information Systems Security (ICISS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7671))

Included in the following conference series:

Abstract

Node.js is a novel event-based network application platform which forces developers to use asynchronous programming interfaces for I/O operations. The native language for developing applications on this platform is JavaScript. Despite its young age the platform has attracted a significant community of developers and gained support from the industry. The Node.js community generally has a strong focus on the scalability of the platform but little research has been done on how the platform’s design decisions affect the security of its applications. This paper outlines several possible security pitfalls to be aware of when using Node.js platform and server side JavaScript. We also describe two discovered vulnerabilities and give recommendations for developing and configuring resilient web applications on the Node.js platform.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Joyent, Inc.: Node.js homepage, http://nodejs.org/

  2. White, A.: JavaScript Programmer’s Reference. John Wiley & Sons (2010)

    Google Scholar 

  3. Google, Inc.: V8 JavaScript Engine, http://code.google.com/p/v8/

  4. Schlueter, I.Z.: The Node Package Manager and Registry, https://npmjs.org/

  5. Richards, G., Hammer, C., Burg, B., Vitek, J.: The Eval That Men Do: A Large-Scale Study of the Use of Eval in JavaScript Applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  6. Cardy, J.: A Collection of JavaScript Gotchas (2011), http://www.codeproject.com/Articles/182416/A-Collection-of-JavaScript-Gotchas

  7. Schlueter, I.Z.: npm scripts, http://npmjs.org/doc/scripts.html

  8. Corry, E., Hansen, C.P., Nielsen, L.R.H.: Irregexp, Google Chrome’s New Regexp Implementation (2009), http://blog.chromium.org/2009/02/irregexp-google-chromes-new-regexp.html

  9. Hazel, P.: PCRE – Perl Compatible Regular Expressions, http://pcre.org/

  10. Cox, R.: Regular expression matching can be simple and fast (2007), http://swtch.com/~rsc/regexp/regexp1.html

  11. Manico, J., Weidman, A.: OWASP Podcast 56 (ReDoS) (2009), http://www.owasp.org/index.php/Podcast_56

  12. Sullivan, B.: Regular expression denial of service attacks and defenses. MSDN Magazine 25(5), 82–85 (2010)

    Google Scholar 

  13. O’Hara, C.: node-validator, https://github.com/chriso/node-validator

  14. Wegner, J.: Why Node.JS? Security, http://www.wegnerdesign.com/blog/why-node-js-security/

  15. Holowaychuk, T.J.: Connect – a middleware layer for Node.js, https://github.com/senchalabs/connect

Download references

Author information

Authors and Affiliations

  1. Institute of Cybernetics, Tallinn University of Technology, Akadeemia tee 21, 12618, Tallinn, Estonia

    Andres Ojamaa

  2. Tallinn University of Technology, Ehitajate tee 5, 19086, Tallinn, Estonia

    Karl Düüna

Authors
  1. Andres Ojamaa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Karl Düüna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Illinois at Chicago, 60607-7053, Chicago, IL, USA

    Venkat Venkatakrishnan

  2. Department of Computer Science and Engineering, Indian Institute of Technology, 781039, Guwahati, Assam, India

    Diganta Goswami

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ojamaa, A., Düüna, K. (2012). Security Assessment of Node.js Platform. In: Venkatakrishnan, V., Goswami, D. (eds) Information Systems Security. ICISS 2012. Lecture Notes in Computer Science, vol 7671. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35130-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35130-3_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35129-7

  • Online ISBN: 978-3-642-35130-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation