A Study of Node.js Using Injection Vulnerabilities

Tushar Srivastava, Ashutosh Pandey, Rizwan Khan


The Node.js community has prompt the making of numerous applications, for example, server-side web applications and work area applications. Not at all like client side JavaScript code, Node.js applications can collaborate uninhibitedly with the working framework without the advantages of a security sandbox. The mind boggling exchange between Node.js modules prompts unobtrusive infusion vulnerabilities being presented crosswise over module limits. This paper displays a substantial scale consider crosswise over 235,850 Node.js modules to investigate such vulnerabilities. We demonstrate that infusion vulnerabilities are predominant practically speaking, both due to eval, which was already examined for program code, and because of the effective executive API presented in Node.js. Our investigation demonstrates that a great many modules might be helpless against charge infusion assaults and that notwithstanding for prominent undertakings it requires long investment to settle the issue.

Full Text:




(2014)Node.js on Wikipedia.org. [Online].Accessed: 2015-04-08Available: https://en.wikipedia.org/wiki/Node.js

(2014) Node.js homepage. [Online]. Accessed: 2015-04-08 Available: http://nodejs.org/

(2014) Node.js on W3Tech. [Online]. Accessed: 2015-04-09Available: http://w3techs.com/technologies/details/ws-nodejs/all/all

Wikipedia Homepage, [Online], Accessed 2015-04-30Available: http://en.wikipedia.org/wiki/Node.js

Wikipedia Homepage, [Online], Accessed 2015-04-30Available: http://en.wikipedia.org/wiki/Node.js

Wikipedia homepage [Online]. Accessed 2015-04-30Available: https://en.wikipedia.org/wiki/GitHub

D. Hedin, A. Birgisson, L. Bello, and A. Sabelfeld. JSFlow: tracking information flow in JavaScript and its APIs. In Symposium on Applied Computing, pages 1663–1671, 2014.

D. Herman. Effective JavaScript: 68 Specific ways to harness the power of JavaScript. Addison-Wesley, 2013.

P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In USENIX Security Symposium, pages 1–16, Aug. 2011.

S. H. Jensen, P. A. Jonsson, and A. Møller. Remedying the eval that men do. In International Symposium on Software Testing and Analysis, pages 34–44, 2012.

F. Meawad, G. Richards, F. Morandat, and J. Vitek. Eval begone!: semi- automated removal of eval from JavaScript programs. In Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 607–620, 2012.

A. Kiezun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In International Conference on Software Engineering, pages 199–209, 2009.

DOI: https://doi.org/10.23956/ijarcsse.v8i5.666


  • There are currently no refbacks.

© International Journals of Advanced Research in Computer Science and Software Engineering (IJARCSSE)| All Rights Reserved | Powered by Advance Academic Publisher.