You are here: Home » NewsFeeds » Synode: understanding and automatically preventing injection attacks on Node.js

Synode: understanding and automatically preventing injection attacks on Node.js

Synode: understanding and automatically preventing injection attacks on Node.js Staicu et al., NDSS’18
If you’re using JavaScript on the server side (node.js), then you’ll want to understand the class of vulnerabilities described in this paper. JavaScript on the server side doesn’t enjoy some of the same protections as JavaScript running in a browser. In particular, Node.js modules can interact freely with the operating system without the benefit of a security sandbox. The bottom line is this:

We show that injection vulnerabilities are prevalent in practice, both due to eval, which was previously studied for browser code, and due to the powerful exec API introduced in Node.js. Our study suggests that thousands of modules may be vulnerable to command injection attacks and that fixing them takes a long time, even for popular projects.

The Synode tool developed by the authors combines static analysis with runtime protection to defend against such attacks. You can


 

Original article