NodeJS #vulnerabilities - it hurts to look


"Node.js is a server-side software system designed for writing scalable Internet applications, notably web servers.[1] Programs are written on the server side in JavaScript, using event-drivenasynchronous I/O to minimize overhead and maximize scalability.[2]

Node.js contains a built-in HTTP server library, making it possible to run a web server without the use of external software, such as Apache orLighttpd, and allowing more control of how the web server works...." - Wikipedia .   Essentially Node.js is a wrapper around Chrome's V8 javascript engine.   This wrapper allows a javascript programmer to write javascript on the front-end and backend.  I am not sure why someone would want to write javascript on the backend but ok, sure.  




There are too many vulnerabilities for me to dig through and start pointing out.  So instead of talking about each vulnerability, below is the vulnerability class pie. 


Vulnerability pie

Vulnerability pie

Node.js instances publicly available and indexed by Shodan: ~550 servers.

Node.js source code is publicly available at Github

Good luck and happy vulnerability hunting. 




Defensive coding is a must.  

Third party software packages need to be reviewed for vulnerabilities.   

Treat Node.js as if it were untrusted software handling trusted data.