Back To Schedule
Tuesday, October 13 • 12:00 - 12:30
The Node.js Highway: Attacks are at Full Throttle

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

The popularity of the Node.js coding language is soaring. Just five years after its debut, the language’s framework now boasts more 2 million downloads a month. It’s easy to understand why. This event-driven language kept the simplicity of existing Web concepts and trashed the complexities; applications built on Node.js do not require a dedicated Web server to run; and Google is even pushing the language with its enhanced V8 engine for the Google Chrome Web browser. In fact, just consider Node.js as the drive-and-go language. But before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language.

We’ll delve under-the-hood of the language’s engine and present our 6-month research into the Node.js language. In particular, we reveal new attack techniques against applications built on top of this language. This part of the talk includes demonstrations to engage the audience.

Attacks include:

  • Application-layer DDoS attacks. With just 4(!) requests, a server is brought to its knees, effectively denying services from all users of the Node.js application.
  • Password exposure attacks. Leveraging the “Forgot My Password” feature of applications based on Node.js in order to reveal the passwords of all users of the application.
  • Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature due to the language’s inherent coupling of the application and the server it runs on.

This talk is not intended to put the brakes on Node.js. On the contrary, this talk’s aim is to raise awareness to its security issues during application development.

avatar for Helen Bravo

Helen Bravo

Product Management Director, Checkmarx
Helen Bravo is the Product Manager at Checkmarx. Helen has more than fifteen years of experience in software development, IT security and source-code analysis. Prior to working at Checkmarx, Helen has worked in Comverse one of the biggest Israeli Hi-tech firms as a software engineer... Read More →

Tuesday October 13, 2015 12:00 - 12:30 IDT
Main Auditorium
  Track 1

Attendees (0)