Hacking NodeJS applications for fun and profit

NodeJS is one of the fastest growing platforms nowdays and from a security point of view in necessary to know all posibilities that the platform offers to developers. In this talk I will show what are the main vulnerabilities we can found and how we can fix them in our applications.

This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities. On the other hand, it will also be appreciated how some of these vulnerabilities are not included in OWASP Top 10 and it is important to take into account certain design and development practices in order not to fall into errors involving security incidents.

These could be the talking points:

-Node.js security packages

I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production

-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.

-Tools which will help to protect our node applications like NSP module or Retire, which scans for known libraries with vulnerabilities in angular and jquery ecosystem.Other tools like NodeJSScan allow detecting vulnerabilities following some predefined rules

Jose Manuel Ortega

Software engineer & Security Researcher

View Speaker Profile