The document discusses security issues related to Node.js applications. It begins by providing an overview of Node.js and how it allows JavaScript to be executed server-side. It then discusses how well-known vulnerabilities like cross-site scripting (XSS), code injection, and remote code execution can occur in Node.js applications if developers are not careful. Specific examples are provided around evaluation of untrusted JSON, uncontrolled use of the eval() function, and crashing servers by causing unhandled exceptions. The document concludes by noting that many common features are not supported out of the box in Node.js and must be added through external modules.
The Node.js movement has transformed the landscape of UI development. In this session we'll look at how Node.js can be leveraged on multiple layers of the web application development lifecycle. Attendees will learn how incorporating Node.js into your front-end build process can optimize code, allow you to use use new and upcoming JavaScript features in your code today, and to improve your asset delivery pipeline. This session will also cover how Node is changing the template rendering landscape, allowing developers to write "isomorphic" code that runs on the client and server. Lastly we'll look into using Node to achieve developer zen by keeping the codebase clean and limiting the risk of changes to the code causing unknown errors.
The Node.js movement has transformed the landscape of UI development. In this session we'll look at how Node.js can be leveraged on multiple layers of the web application development lifecycle. Attendees will learn how incorporating Node.js into your front-end build process can optimize code, allow you to use use new and upcoming JavaScript features in your code today, and to improve your asset delivery pipeline. This session will also cover how Node is changing the template rendering landscape, allowing developers to write "isomorphic" code that runs on the client and server. Lastly we'll look into using Node to achieve developer zen by keeping the codebase clean and limiting the risk of changes to the code causing unknown errors.
This is an introduction to NodeJS which is an open-source, cross-platform run-time environment for developing server-side Web Applications. It also discusses the implications of NodeJS in Internet of Things (IoT).
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...Edureka!
This Edureka "What is Node.js" tutorial will help you to learn the Node.js fundamentals and how to create an application in Node.js. Node.js is an open-source, cross-platform JavaScript runtime environment for developing a diverse variety of server tools and applications. Below are the topics covered in this tutorial:
1) Client Server Architecture
2) Limitations of Multi – Threaded Model
3) What is Node.js?
4) Features of Node.js
5) Node.js Installation
6) Blocking Vs. Non – Blocking I/O
7) Creating Node.js Program
8) Node.js Modules
Nodejs Event Driven Concurrency for Web ApplicationsGanesh Iyer
We describe the event-driven concurrency model used by Nodejs, a JavaScript server-side scripting platform. An overview of the traditional thread based approach(used by Apache) is also given. We compare both the approaches. An Introduction to Nodejs programming is provided and some useful packages are discussed.
Talking about future of NodeJS, from Node 7 to Node 10.
NPM 5. N-API, async_hooks, util.promisify().
A big part on the ESM vs CommonJS module loader, and all the problem NodeJS is facing to implement ESM.
Node js is said to be an open source. It is the cross-platform JavaScript runtime to developing different types of applications and tools. Thus the best node js course js is not a JavaScript framework with its many of the core modules which are mainly written in the JavaScript and even the developers to writing a new module. It is also primarily used to develop the input and output web applications like single page applications, video streaming sites with other web applications.
As per the trends captured in the job market from the year and the technology popularity , the usage of node.js is set to take off this year to a whole new level. This blog is an insight into understanding node.js. Touch points from ground up covering the basics of the platform to advanced use cases will be covered. The key features across the different facets around building enterprise application with node.js will be covered. Interesting use cases will be discussed on how this powerful technology is being used across the globe. The targeted audience can range from intermediate to advanced developers who would like to learn and employ the technology, architects to use it effectively for solutioning and sales team who can leverage the advantages of the technology in proposing quicker time to market like never before.
NodeJS is an open source, cross platform run time environment for server side and networking application. NodeJS is popular in development because front & back end side both uses JavaScript Code.
Rising from non-existence a few short years ago, Node.js is already attracting the accolades and disdain enjoyed and endured by the Ruby and Rails community just a short time ago. It overtook Rails as the most popular Github repository in 2011 and was selected by InfoWorld for the Technology of the Year Award in 2012. This presentation explains the basic theory and programming model central to Node's approach and will help you understand the resulting benefits and challenges it presents. You can also watch this presentation at http://bit.ly/1362UGA
Slides from my workshop about node.js which I conducted in Girl Geek Dinner Bangalore. More details at http://sudarmuthu.com/blog/introduction-to-node-js-at-yahoo-girl-geek-dinner
Da ormai qualche anno Node.js sta prendendo sempre più piede sia in ambito startup che in ambito enterprise, cerchiamo di capire insieme di cosa si tratta, quali sono le sue caratteristiche principali e dove questo tool può dare il meglio di sé. Inizieremo da una introduzione del JavaScript runtime, descrivendo il suo sistema di I/O non bloccante e le principali funzionalità che mette a disposizione. Passeremo poi all'enorme ecosistema di librerie (NPM), mostrando le più famose e il loro utilizzo.
This is an introduction to NodeJS which is an open-source, cross-platform run-time environment for developing server-side Web Applications. It also discusses the implications of NodeJS in Internet of Things (IoT).
What is Node.js | Node.js Tutorial for Beginners | Node.js Modules | Node.js ...Edureka!
This Edureka "What is Node.js" tutorial will help you to learn the Node.js fundamentals and how to create an application in Node.js. Node.js is an open-source, cross-platform JavaScript runtime environment for developing a diverse variety of server tools and applications. Below are the topics covered in this tutorial:
1) Client Server Architecture
2) Limitations of Multi – Threaded Model
3) What is Node.js?
4) Features of Node.js
5) Node.js Installation
6) Blocking Vs. Non – Blocking I/O
7) Creating Node.js Program
8) Node.js Modules
Nodejs Event Driven Concurrency for Web ApplicationsGanesh Iyer
We describe the event-driven concurrency model used by Nodejs, a JavaScript server-side scripting platform. An overview of the traditional thread based approach(used by Apache) is also given. We compare both the approaches. An Introduction to Nodejs programming is provided and some useful packages are discussed.
Talking about future of NodeJS, from Node 7 to Node 10.
NPM 5. N-API, async_hooks, util.promisify().
A big part on the ESM vs CommonJS module loader, and all the problem NodeJS is facing to implement ESM.
Node js is said to be an open source. It is the cross-platform JavaScript runtime to developing different types of applications and tools. Thus the best node js course js is not a JavaScript framework with its many of the core modules which are mainly written in the JavaScript and even the developers to writing a new module. It is also primarily used to develop the input and output web applications like single page applications, video streaming sites with other web applications.
As per the trends captured in the job market from the year and the technology popularity , the usage of node.js is set to take off this year to a whole new level. This blog is an insight into understanding node.js. Touch points from ground up covering the basics of the platform to advanced use cases will be covered. The key features across the different facets around building enterprise application with node.js will be covered. Interesting use cases will be discussed on how this powerful technology is being used across the globe. The targeted audience can range from intermediate to advanced developers who would like to learn and employ the technology, architects to use it effectively for solutioning and sales team who can leverage the advantages of the technology in proposing quicker time to market like never before.
NodeJS is an open source, cross platform run time environment for server side and networking application. NodeJS is popular in development because front & back end side both uses JavaScript Code.
Rising from non-existence a few short years ago, Node.js is already attracting the accolades and disdain enjoyed and endured by the Ruby and Rails community just a short time ago. It overtook Rails as the most popular Github repository in 2011 and was selected by InfoWorld for the Technology of the Year Award in 2012. This presentation explains the basic theory and programming model central to Node's approach and will help you understand the resulting benefits and challenges it presents. You can also watch this presentation at http://bit.ly/1362UGA
Slides from my workshop about node.js which I conducted in Girl Geek Dinner Bangalore. More details at http://sudarmuthu.com/blog/introduction-to-node-js-at-yahoo-girl-geek-dinner
Da ormai qualche anno Node.js sta prendendo sempre più piede sia in ambito startup che in ambito enterprise, cerchiamo di capire insieme di cosa si tratta, quali sono le sue caratteristiche principali e dove questo tool può dare il meglio di sé. Inizieremo da una introduzione del JavaScript runtime, descrivendo il suo sistema di I/O non bloccante e le principali funzionalità che mette a disposizione. Passeremo poi all'enorme ecosistema di librerie (NPM), mostrando le più famose e il loro utilizzo.
Penjelasan tentang platform NodeJS yang memungkinkan kita menulis code JavaScript di sisi server. Materi dibawakan di meetup Programming Wars Software Architect Indonesia Community tanggal 26 Agustus 2017 di Microsoft Indonesia
An presentation on how and why KrakenJS was built, as well as an overview of many useful features of what makes Kraken different from other frameworks.
Developing realtime apps with Drupal and NodeJS drupalcampest
Based on Google's V8 JavaScript engine, NodeJS is a fairly new platform for creating scalable and real-time web applications. I will introduce you to NodeJS internals and ecosystem as well as exaplain why and how you can use Node in your Drupal based projects.
Spring one 2012 Groovy as a weapon of maas PaaSificationNenad Bogojevic
to share the same infrastructure for all our customers.
We therefore built a highly sophisticated model of physical and logical farms, partitioning the traffic and optimizing resources. We operate 700+ JEE nodes, split in 30+ logical clusters, deployed on less than 10 physical server pools. Today, this infrastructure is delivering a billion dynamic pages per month, for more than 5 million bookings, with a 10 times factor growth expected in the coming years.
Even though thousands of parameters are available to tailor our products to any one particular needs, the recent evolution of the IT Industry towards PAAS ecosystems modified customer expectations: they are now looking for the capability to extend our applications, interact with their own IT, influence our business logic or even graphical interface.
To support this vision, we started developing an extensibility framework, based on scripting technologies. Though being language agnostic, we quickly decided to invest on the Groovy language and rely on JSR 223 to embed it into our applications.
However, transforming a multi-tenant & community SAAS ecosystem into a flexible PAAS environment implies to take up multiple challenges, especially around sandboxing ? access & resource control ? or productivity and production constraints, such as hot-reloading or instantaneous fallback mechanism.
This presentation will therefore focus on how Groovy and its extensibility mechanisms allow us to progress on these topics, what are the limitations faced due to its dynamicity nature, and how we?re thrilled by the new features coming in next releases.
Video: https://www.youtube.com/watch?v=b6yLwvNSDck
Here's the showdown you've been waiting for: Node.js vs Play Framework. Both are popular open source web frameworks that are built for developer productivity, asynchronous I/O, and the real time web. But which one is easier to learn, test, deploy, debug, and scale? Should you pick Javascript or Scala? The Google v8 engine or the JVM? NPM or Ivy? Grunt or SBT? Two frameworks enter, one framework leaves.
This is the English version of the presentation. For the version with Japanese subtitles, see http://www.slideshare.net/brikis98/nodejs-vs-play-framework-with-japanese-subtitles
JavaScript, Meet Cloud: Node.js on Windows AzureSasha Goldshtein
Slides from a talk at the North Toronto .NET User Group. An introduction to Node.js and Express followed by a tour of Windows Azure and various hosting options for Node applications, including Windows Azure Web Sites, Windows Azure Mobile Services, and Windows Azure Virtual Machines.
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and toplay online games. But have we ever properly considered thesecurity state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact ofJavaScript vulnerability exploitation to the enterprise: from stealing serverside data to infecting users with malware. Hackers are beginning to recognize this new playground and are quicklyadding JavaScript exploitation tools to their Web attack arsenal.
2. Sven Vetsch
§ Partner & CTO at Redguard AG
§ www.redguard.ch
§ Specialized in Application Security
§ (Web, Web-Services, Mobile, …)
§ Leader OWASP Switzerland
§ www.owasp.org / www.owasp.ch
sven.vetsch@redguard.ch
Twitter: @disenchant_ch / @redguard_ch
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
2
3. Table of Contents
I. Node.js
II. Node.js Security
III. Wrap Up
IV. Q & A
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
3
4. Remarks
Don’t use any of the code shown in this presentation
unless you want to write insecure software!
We won’t really go into how to avoid and fix things.
You will see, that we’ll just talk about new possibilities
on exploiting well-known vulnerabilities anyway.
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
4
5. I
Node.js
JavaScript on your Server
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
5
6. Wait what…?
§ Node aka. Node.js
§ Open Source (http://nodejs.org/)
§ Platform built on Google's JavaScript runtime (V8)
§ For easily building fast and scalable network
applications
§ Node uses an event-driven, non-blocking I/O model
§ Lightweight and efficient - perfect for data-intensive
real-time applications that run across distributed
devices.
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
6
8. In short…
“Node allows JavaScript to be executed
server-side and provides APIs (i.e. to work
with files and talk to devices on a network).”
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
8
9. Who would use this?
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
9
10. Hello World
var http = require('http');
http.createServer(function (req, res) {
res.writeHead(200, {
'Content-Type': 'text/plain’
});
res.end('Hello Worldn');
}).listen(1337, '127.0.0.1');
console.log('Server running at http://
127.0.0.1:1337/');
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
10
11. Working with (GET) Parameters
var http = require('http');
var url = require('url');
http.createServer(function (req, res) {
res.writeHead(200, {
'Content-Type': 'text/html'
});
var queryData = url.parse(req.url, true).query;
var name = queryData.name;
console.log("Hello " + name);
res.end("Hello " + name);
}).listen(1337, '127.0.0.1');
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
11
12. Working with (GET) Parameters
var http = require('http');
var url = require('url');
http.createServer(function (req, res) {
res.writeHead(200, {
'Content-Type': 'text/html'
});
var queryData = url.parse(req.url, true).query;
var name = queryData.name;
console.log("Hello " + name);
res.end("Hello " + name);
}).listen(1337, '127.0.0.1');
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
12
17. Server Side JavaScript Injection
§ It’s much like DOM-based XSS and all the
know sources and sinks also work on
Node.
§ http://code.google.com/p/domxsswiki/wiki/Index
§ Interesting is everything that performs an
eval()
§ eval() is (and stays) evil
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
17
18. Server Side JavaScript Injection
Be serious, who would use eval() or for
example let unchecked code reach a
setTimeout()?
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
18
19. Server Side JavaScript Injection
§ Github returns 444’932 when searching for
“eval” in JavaScript code.
§ Of course not all of those are in fact insecure
usages of the eval() function
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
19
20. Server Side JavaScript Injection
§ Another example: How do you convert
JSON back to an object?
§ The good answer:
JSON.parse(str);
§ The bad (but easier and more intuitive) answer:
eval(str);
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
20
21. Server Side JavaScript Injection
§ “First, you'll use a JavaScript eval() function
to convert the JSON string into JavaScript
objects.”
return eval(json);
(https://developers.google.com/web-toolkit/doc/latest/tutorial/JSON)
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
21
22. Server Side JavaScript Injection
§ “With JSON, you use JavaScript's array and object
literals syntax to define data inside a text file in a way that
can be returned as a JavaScript object
using eval().”
var jsondata =
eval("("+mygetrequest.responseText+")")
(http://www.javascriptkit.com/dhtmltutors/ajaxgetpost4.shtml)
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
22
23. (Ab)using JSON
...
var queryData = url.parse(req.url, true).query;
if (queryData.jsonString) {
var jsonObject =
eval('(' + queryData.jsonString + ')');
res.end(jsonObject.order[0].name+" ordered one "
+jsonObject.order[0].beer);
} else {
res.end("Please place your order.");
}
}).listen(1337, '127.0.0.1');
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
23
31. Simple Crash Demo
var http = require('http');
var url = require('url');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/html'});
var queryData = url.parse(req.url, true).query;
var number_of_decimals = 1;
if (queryData.nod) {number_of_decimals =
queryData.nod;}
res.end(
Math.PI.toFixed(number_of_decimals).toString()
);
}).listen(1337, '127.0.0.1');
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
31
32. Simple Crash Demo
var http = require('http');
var url = require('url');
http.createServer(function (req, res) {
res.writeHead(200, {'Content-Type': 'text/html'});
var queryData = url.parse(req.url, true).query;
var number_of_decimals = 1;
if (queryData.nod) {number_of_decimals =
queryData.nod;}
res.end(
Math.PI.toFixed(number_of_decimals).toString()
);
}).listen(1337, '127.0.0.1');
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
32
33. Simple Crash Demo
number.toFixed( [digits] )
§ digits
The number of digits to appear after the decimal
point; this may be a value between 0 and 20,
inclusive, and implementations may optionally
support a larger range of values. If this argument
is omitted, it is treated as 0.
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
33
35. Does Node.js support…
Sessions
NO
Permanent
Data
Storage
NO
Caching
NO
Database
Access
NO
Logging
NO
Default
Error
Handling
NO
…
Most
likely
NO
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
35
36. npm - Node Packaged Modules
§ npm is a Node.js package manager
§ https://npmjs.org/
§ De-facto standard
§ Open – everyone can publish packages
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
36
37. npm - Node Packaged Modules
§ npm init
§ Edit package.json like we’ll see in a second
§ npm pack
§ npm install evilModule-1.2.3.tgz
§ Publish J
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
37
39. III
Wrap Up
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
39
40. Wrap Up
§ Using Node.js can be a good thing but you
§ have to care about a lot of things
§ know the modules you can use
§ need to write a lot of code yourself until someone writes
a module for it
§ We have to wait for (and help) improve modules that
make Node.js applications more secure.
§ Training for developers is key as they can’t write
secure Node.js application without even
understanding the most simple XSS vectors.
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
40
41. IV
Q & A
sven.vetsch@redguard.ch
@disenchant_ch / @redguard_ch
8 November 2012
OWASP Foundation | Sven Vetsch | sven.vetsch@redguard.ch
41