Hackers of India

Node.js: The good, bad and ugly

By  Bishan Singh  on 15 Feb 2012 @ Nullcon

Abstract

Node - the latest rave in server side JavaScript programming inherently introduces some security benefits over traditional server side programming paradigms like secure by default. On the flip side, carries over the universally known dangerous JavaScript APIs like eval that can trivially be exploited to do server side injection, amongst others. Not to mention, it introduces new attack vectors due to the sheer event driven single threaded model where a simple error can create a denial of service condition. In this session we will demo these good, bad and the ugly parts of Node. We will also look at how Node fares on the good parts that some of the other platforms provide like PHP Filter based auto-sanitization and Spring Security. Node is powerful, and with power comes responsibility. We will also look at what are the major exploits and things that can go wrong with Node’s highly promising features like web sockets.