The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language. But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.
We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.
Attacks include:
This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.