Common security threats

Node.js, as a backend runtime environment, faces various security threats. From code injection to dependency vulnerabilities, developers need a comprehensive understanding of attack scenarios and must adopt targeted protective measures. The following sections categorize and discuss typical risks and their solutions.

Code Injection Attacks

Code injection is one of the most dangerous security threats to Node.js applications. Common forms include:

1. SQL Injection: Unfiltered user input directly concatenated into SQL statements

// Dangerous example
const query = `SELECT * FROM users WHERE username = '${req.body.username}'`;
db.query(query, (err, result) => { ... });

// Secure solution
const query = 'SELECT * FROM users WHERE username = ?';
db.query(query, [req.body.username], (err, result) => { ... });

2. Command Injection: Executing unsanitized input via child_process

// Dangerous example
const { exec } = require('child_process');
exec(`ls ${userInput}`, (error, stdout) => {...});

// Secure solution
const { execFile } = require('child_process');
execFile('ls', [userInput], (error, stdout) => {...});

3. Template Injection: Dynamic template engines processing user input

// EJS example
const template = `<h1>Welcome <%= unsafeUserInput %></h1>`;
// Should use content escaping
const template = `<h1>Welcome <%- escape(unsafeUserInput) %></h1>`;

Authentication Flaws

Authentication system vulnerabilities often lead to serious security issues:

1. Weak Password Policies: No enforcement of password complexity requirements

// Should use password strength validation libraries
const zxcvbn = require('zxcvbn');
if (zxcvbn(password).score < 3) {
  throw new Error('Insufficient password strength');
}

2. Session Fixation Attacks: Unchanged session ID before and after login

// Should reset the session after successful authentication
app.post('/login', (req, res) => {
  req.session.regenerate(() => {
    req.session.user = authenticatedUser;
  });
});

3. JWT Implementation Issues: Unverified signatures or weak algorithms

// Misconfiguration
jwt.sign(payload, 'weak-secret', { algorithm: 'HS256' });

// Correct approach
jwt.sign(payload, process.env.STRONG_SECRET, { 
  algorithm: 'RS256',
  expiresIn: '2h'
});

Dependency Chain Risks

Third-party packages can introduce security risks:

1. Malicious Package Implantation: Malicious code execution via dependencies

# Should regularly audit dependencies
npm audit
npx nodejsscan

2. Outdated Dependency Vulnerabilities: Failure to update packages with known vulnerabilities

// package.json should specify exact versions
"dependencies": {
  "express": "4.18.2",
  "lodash": "4.17.21"
}

3. Supply Chain Attacks: Compromised developer accounts leading to tampered legitimate packages

// Use package integrity verification
npm install --package-lock-only
npm ci

Configuration Errors

Improper configurations often become attack vectors:

1. Sensitive Information Leakage: Configuration files containing plaintext passwords

// Wrong approach
module.exports = {
  dbPassword: '123456'
};

// Should use environment variables
require('dotenv').config();
module.exports = {
  dbPassword: process.env.DB_PASSWORD
};

2. Overly Permissive CORS: Allowing access from any origin

// Dangerous configuration
app.use(cors());

// Secure configuration
const whitelist = ['https://example.com'];
app.use(cors({
  origin: (origin, callback) => {
    if (whitelist.indexOf(origin) !== -1) {
      callback(null, true)
    } else {
      callback(new Error('Not allowed by CORS'))
    }
  }
}));

3. Missing HTTP Headers: Absence of security-related headers

// Should add security headers
const helmet = require('helmet');
app.use(helmet());

Denial-of-Service Attacks

System resources can be maliciously exhausted:

1. Regex Catastrophes: Inefficient regex causing CPU overload

// Dangerous regex
/(a+)+$/.test('aaaaaaaaX');

// Should use safe libraries
const safe-regex = require('safe-regex');
if (!safeRegex(regexPattern)) {
  throw new Error('Potentially dangerous regex');
}

2. Unrestricted Request Body Size: Large file uploads causing memory overflow

// Should configure body parsing limits
app.use(express.json({ limit: '100kb' }));
app.use(express.urlencoded({ limit: '100kb' }));

3. Event Loop Blocking: Synchronous operations occupying the main thread

// Wrong example
const data = fs.readFileSync('large.file');

// Correct approach
fs.readFile('large.file', (err, data) => {...});

Filesystem Security

Improper file operations leading to vulnerabilities:

1. Path Traversal Attacks: Unfiltered user-provided file paths

// Dangerous example
app.get('/download', (req, res) => {
  const file = req.query.file;
  res.download(`/var/www/uploads/${file}`);
});

// Secure solution
const path = require('path');
app.get('/download', (req, res) => {
  const file = path.basename(req.query.file);
  const fullPath = path.join('/var/www/uploads', file);
  if (!fullPath.startsWith('/var/www/uploads')) {
    return res.status(403).end();
  }
  res.download(fullPath);
});

2. Temporary File Race Conditions: File creation and permission setting out of sync

// Unsafe operation
fs.writeFile('/tmp/data.tmp', data, (err) => {
  fs.chmod('/tmp/data.tmp', 0o600, (err) => {...});
});

// Atomic operation solution
const { open } = require('fs').promises;
async function safeWrite(path, data) {
  const fd = await open(path, 'wx', 0o600);
  await fd.write(data);
  await fd.close();
}

Logging and Monitoring Deficiencies

Security events not being effectively recorded:

1. Sensitive Information Logging: Passwords or tokens in logs

// Wrong logging
console.log(`User login with password: ${password}`);

// Should filter sensitive fields
const maskFields = (obj) => {
  const masked = { ...obj };
  ['password', 'token'].forEach(field => {
    if (masked[field]) masked[field] = '***';
  });
  return masked;
};

2. Log Injection Attacks: Malicious input polluting log formats

// Dangerous example
logger.info(`User input: ${userInput}`);

// Secure handling
const sanitize = (str) => str.replace(/\n/g, '\\n');
logger.info(`User input: ${sanitize(userInput)}`);

3. Lack of Monitoring: No alerts for anomalous behavior

// Should configure exception monitoring
const NewRelic = require('newrelic');
process.on('uncaughtException', (err) => {
  NewRelic.noticeError(err);
  process.exit(1);
});