OWASP AppSec Israel 2015

The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language. But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.

Attacks include:

• Application-layer DDoS attacks. With just 4(!) requests, a server is brought to its knees, effectively denying services from all users of the Node.js application.
• Password exposure attacks. Leveraging the “Forgot My Password” feature of applications based on Node.js in order to reveal the passwords of all users of the application.
• Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature due to the language’s inherent coupling of the application and the server it runs on.

This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.