Security Assessment of Node.js Platform

  • Andres Ojamaa
  • Karl Düüna
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7671)

Abstract

Node.js is a novel event-based network application platform which forces developers to use asynchronous programming interfaces for I/O operations. The native language for developing applications on this platform is JavaScript. Despite its young age the platform has attracted a significant community of developers and gained support from the industry. The Node.js community generally has a strong focus on the scalability of the platform but little research has been done on how the platform’s design decisions affect the security of its applications. This paper outlines several possible security pitfalls to be aware of when using Node.js platform and server side JavaScript. We also describe two discovered vulnerabilities and give recommendations for developing and configuring resilient web applications on the Node.js platform.

Keywords

application security denial of service server platform security server side JavaScript security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Joyent, Inc.: Node.js homepage, http://nodejs.org/
  2. 2.
    White, A.: JavaScript Programmer’s Reference. John Wiley & Sons (2010)Google Scholar
  3. 3.
    Google, Inc.: V8 JavaScript Engine, http://code.google.com/p/v8/
  4. 4.
    Schlueter, I.Z.: The Node Package Manager and Registry, https://npmjs.org/
  5. 5.
    Richards, G., Hammer, C., Burg, B., Vitek, J.: The Eval That Men Do: A Large-Scale Study of the Use of Eval in JavaScript Applications. In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 52–78. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Cardy, J.: A Collection of JavaScript Gotchas (2011), http://www.codeproject.com/Articles/182416/A-Collection-of-JavaScript-Gotchas
  7. 7.
    Schlueter, I.Z.: npm scripts, http://npmjs.org/doc/scripts.html
  8. 8.
    Corry, E., Hansen, C.P., Nielsen, L.R.H.: Irregexp, Google Chrome’s New Regexp Implementation (2009), http://blog.chromium.org/2009/02/irregexp-google-chromes-new-regexp.html
  9. 9.
    Hazel, P.: PCRE – Perl Compatible Regular Expressions, http://pcre.org/
  10. 10.
    Cox, R.: Regular expression matching can be simple and fast (2007), http://swtch.com/~rsc/regexp/regexp1.html
  11. 11.
    Manico, J., Weidman, A.: OWASP Podcast 56 (ReDoS) (2009), http://www.owasp.org/index.php/Podcast_56
  12. 12.
    Sullivan, B.: Regular expression denial of service attacks and defenses. MSDN Magazine 25(5), 82–85 (2010)Google Scholar
  13. 13.
    O’Hara, C.: node-validator, https://github.com/chriso/node-validator
  14. 14.
    Wegner, J.: Why Node.JS? Security, http://www.wegnerdesign.com/blog/why-node-js-security/
  15. 15.
    Holowaychuk, T.J.: Connect – a middleware layer for Node.js, https://github.com/senchalabs/connect

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Andres Ojamaa
    • 1
  • Karl Düüna
    • 2
  1. 1.Institute of CyberneticsTallinn University of TechnologyTallinnEstonia
  2. 2.Tallinn University of TechnologyTallinnEstonia

Personalised recommendations