Hacking NodeJS applications for fun and profit - TIB AV-Portal

Hacking NodeJS applications for fun and profit

00:00

Related Material

Ortega, José Manuel

Formal Metadata

Title

Hacking NodeJS applications for fun and profit

Subtitle

Testing NodeJS Security

Title of Series

Number of Parts

Author

Ortega, José Manuel

License

CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/44312 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

NodeJS is one of the fastest growing platforms nowdays and from a security point of view is necessary to know all posibilities that the platform offers to developers.This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities.Also I will show what are the main vulnerabilities we can found and how we can fix them in our applications. These could be the talking points: -Node.js security packages. I will comment how to protect express applications in terms of authentication, logging,middleware and security best practices before put applications in production. -How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective. -Tools which will help to protect our node applications like NodeJSScan allow detecting vulnerabilities following some predefined rules

Speech

Text

Image

00:00

Information securitySoftware testingVertex (graph theory)Thread (computing)Single-precision floating-point formatLimit (category theory)Concurrency (computer science)Graphical user interfaceEvent horizonLoop (music)Annulus (mathematics)Data modelService (economics)HTTP cookieDisk read-and-write headEmailContent (media)Computer configurationFrame problemData typeDefault (computer science)Module (mathematics)Cartesian coordinate systemModule (mathematics)Latent heatVertex (graph theory)Software developerCombinational logicProjective planeVulnerability (computing)Server (computing)Mobile appSoftware frameworkComputer configurationInformation securityEmailRevision controlSoftware testingStandard deviationConnected spaceStability theoryRepository (publishing)Electronic mailing listExpressionTelecommunicationGroup actionMaxima and minimaStack (abstract data type)EncryptionComputing platformHTTP cookieMemory managementPoint (geometry)Resource allocationLevel (video gaming)Goodness of fitRun-time systemView (database)Water vaporSpecial unitary groupPlanningForcing (mathematics)SpacetimeHacker (term)SoftwareScripting languageMultiplication signSubject indexingTraffic reportingVideo gameMathematicsOrder (biology)Cross-site scriptingMusical ensembleRoundness (object)Decision support systemExecution unitFerry CorstenService (economics)Electronic program guideWebsitePercolation theoryInternet forumMultiplicationPhysical lawInclusion mapKälteerzeugungCovering spaceMatching (graph theory)Automatic repeat requestDemo (music)Operator (mathematics)Block (periodic table)Conditional-access moduleWritingOnline helpFirewall (computing)Set (mathematics)Right angleTheory of relativityPixelComputer fileShooting methodForestRow (database)Mobile WebSymbol tableDigital electronicsComputer animationProgram flowchart

06:33

Module (mathematics)ForceClient (computing)Cache (computing)Frame problemDefault (computer science)EmailInformation securityRevision controlExpressionFunction (mathematics)outputDependent and independent variablesFingerprintSoftware frameworkData managementExecution unitTime domainHTTP cookieWebsiteFunctional (mathematics)HTTP cookieLatent heatRevision controlEmailMobile appCross-site scriptingCartesian coordinate systemExpressionServer (computing)Type theoryFlagDomain nameInformationVulnerability (computing)CASE <Informatik>FingerprintClassical physicsDependent and independent variablesTask (computing)Attribute grammarService (economics)Web browserSoftware frameworkInformation securityModule (mathematics)Digital rights managementInjektivitätVector spacePhysical lawCAN busPlastikkarteMiddlewarePrinciple of relativityWeb syndicationOnline helpExploit (computer security)Forcing (mathematics)Object (grammar)Public key certificateFigurate numberDefault (computer science)Set (mathematics)Flash memoryMetropolitan area networkCategory of beingGenderFormal verificationDigital photographyVolumenvisualisierungDisk read-and-write headSpecial unitary groupLine (geometry)MathematicsMiniDiscWeb 2.0WritingLevel (video gaming)Reading (process)Internet forumSoftware testingScripting languageBasis <Mathematik>Covering spaceNumberStability theorySoftwareForm (programming)Power (physics)Formal languageVideo game

13:00

Vulnerability (computing)HTTP cookieWebsiteExpressionToken ringProcess (computing)Group actionNormed vector spaceoutputDependent and independent variablesModule (mathematics)Digital filterLimit (category theory)Object (grammar)Regulärer Ausdruck <Textverarbeitung>Different (Kate Ryan album)CodeDependent and independent variablesoutputValidity (statistics)Cross-site scriptingCartesian coordinate systemMiddlewareModule (mathematics)Vulnerability (computing)InjektivitätHTTP cookieHeegaard splittingExpressionClient (computing)Template (C++)Token ringWeb applicationThresholding (image processing)AuthenticationGroup actionView (database)AdditionObservational studyWater vaporTask (computing)Forcing (mathematics)Sound effectSoftwareForceTouch typingWeb 2.0Electronic visual displayGoodness of fitOffice suiteMiniDiscMathematicsRow (database)State of matterExecution unitImpulse responseWritingCategory of beingComputer animation

18:35

Hash functionPasswordDuality (mathematics)Vertex (graph theory)InjektivitätServer (computing)User profileObject (grammar)Directed setMiddlewarePasswordError messageInformation securityFunctional (mathematics)Service (economics)Musical ensembleMultiplication signEmailPoint (geometry)Cartesian coordinate systemComputer fileGame controllerLink (knot theory)Server (computing)Web 2.0Repository (publishing)MiniDiscModule (mathematics)Reflection (mathematics)CausalityContext awarenessSoftwarePrice indexDrill commandsWebsiteSoftware testingStudent's t-testSmoothingProcess (computing)InformationComa BerenicesScripting languageCodierung <Programmierung>Fluid staticsMathematical analysisValidity (statistics)WordExpressionDecision theoryData storage deviceCodeInternet forumTheory of relativityInjektivitätEqualiser (mathematics)TelecommunicationFormal verificationRevision controlMatching (graph theory)Cross-site scriptingSensitivity analysisHash functionDependent and independent variablesDenial-of-service attackDatabaseType theoryVertex (graph theory)Web browserTraffic reportingForm (programming)Regulärer Ausdruck <Textverarbeitung>outputStress (mechanics)Open sourceMobile appField (computer science)Vulnerability (computing)Software crackingIntegrated development environmentElectronic mailing listGastropod shell

24:10

Repository (publishing)Asynchronous Transfer ModeInformation securityVertex (graph theory)Chi-squared distributionChecklistRepository (publishing)Image resolutionTelecommunicationMultiplication signComputer animation

24:39

Point cloudComputer animation

Transcript: Englisch(auto-generated)