NodeJS Security for Beginners
Introduction:
NodeJS is an extremely powerful and lightweight technology, which is being widely adopted. Just like any other technology sometimes developers make mistakes during the development process, which may lead to serious vulnerabilities.
Learn Secure Coding
In this series of articles, we discuss various NodeJS specific and traditional vulnerabilities that we may come across when dealing with NodeJS apps.
Prerequisites:
This series of articles is going to walk the readers through various possible vulnerabilities in NodeJS code. So, a basic knowledge of writing simple NodeJS apps is required to practice the steps provided in these articles. If you just want to understand the concepts, then basic web application security knowledge is enough and we are good to go.
Getting started:
In all the articles in this series, we will have a close look at the vulnerable NodeJS source code. In this first article, let us discuss the infamous XSS vulnerability, and how to fix it.
When untrusted data is not properly sanitized by the application before displaying it back to the user, XSS occurs.
Below is a sample piece of code written in NodeJS and expression. This allows a user to insert some data through the input field and then echoes it back.
Vulnerable Code:
//This code is vulnerable to Cross Site Scripting
var express = require('express');
var bodyParser = require('body-parser');
var app = express();
app.use(bodyParser());
app.get('/', function(req, res){
var html = '' + '
'; res.send(html); }); app.post('/', function(req, res){ var userName = req.body.userName; var html = 'Hello: ' + userName + '.
' + ''; res.send(html); }); app.listen(8000);
The below piece of code is what makes the application vulnerable.
var userName = req.body.userName;
var html = 'Hello: ' + userName + '.
' +
'Try again.';
res.send(html);
As we can see, the user input is directly sent back to the user without any validation/encoding.
Let's run the application and see it in action.
When we enter some input into the application, it is going to echo it back to the user.
This looks as shown below.
Let us now test for Cross Site Scripting.
As expected, this is going to pop an alert box as shown below.
The source code of the response page is as shown below.
Fixing XSS using sanitizer:
Fixing XSS vulnerabilities in NodeJS application requires context specific output encoding just like any other web application. In the current example, we are going to use an npm module called "sanitizer".
First, make sure you download the npm module "sanitizer".
Once done with adding sanitizer module, the code used to fix is as shown below.
//Fixing XSS in nodejs apps using sanitizer
var express = require('express');
var sanitizer = require('sanitizer');
var bodyParser = require('body-parser');
var app = express();
app.use(bodyParser());
app.get('/', function(req, res){
var html = '
'; res.send(html); }); app.post('/', function(req, res){ var userName = req.body.userName; var sanitizedinput = sanitizer.escape(userName); var html = 'Hello: ' + sanitizedinput + '. ' + 'Try again.'; res.send(html); }); app.listen(8000);
As we can see in the code above, we are making use of sanitizer for escaping the special characters from the user input before displaying it back to the user.
The following snippet from the above code shows how it is done.
var sanitizer = require('sanitizer');
.
.
.
.
var userName = req.body.userName;
var sanitizedinput = sanitizer.escape(userName);
var html = 'Hello: ' + sanitizedinput + '.
' +
'Try again.';
res.send(html);
Let us run this modified code with an XSS payload to see if the vulnerability persists.
If you notice, the malicious script inserted by the user has been output encoded and displayed back as data rather than code.
Source code of the response page is as shown below.
Additionally, we can add headers such as HttpOnly to minimize the attack surface.
Conclusion:
Learn Secure Coding
In this article, we have seen how traditional web vulnerabilities such as XSS can be a part of NodeJS applications. We have also seen the usage of sanitizer module. In the later parts of this series, we will see some other NodeJS specific as well as traditional vulnerabilities in NodeJS applications.
Learn Secure Coding
Get hands-on experience with common coding mistakes, how they can be exploited and possible mitigations. Learn secure coding in:- Android and iOS
- C/C++, Java, .NET and PHP
- And more
In this Series
- NodeJS Security for Beginners
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to exploit CSRF Vulnerabilities
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding