Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, Express.js (Core), Express.js (Sessions and CSRF), and AngularJS.
Development mode (Node.js/Express.js)
By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express returns more verbose errors which can result in information leakage. For example, the error message below returns the full path to the requested file. This also provides an attacker with information about the host system.
Continue Reading...
Posted in Building secure software
Learn how to prevent common AngularJS vulnerabilities related to expression injection, local storage information leakage, and Angular’s own SCE service.
Continue Reading...
Posted in Building secure software
With MEAN stack apps, you can store the session state client-side in a JSON Web Token or custom cookie object. But how do you invalidate a user’s session?
Continue Reading...
Posted in Web Application Security
With the Express framework, developers can easily add multiple middleware plugins globally to all routes. But middleware must be applied in the right order.
Continue Reading...
Posted in Building secure software, Open Source Security, Web Application Security
MEAN stack applications (MongoDB, Express.js, AngularJS, and Node.js) are becoming increasingly popular as lightweight, easily deployable frameworks due to a vast ecosystem of middleware plugins and dependencies. But just how secure are these technologies?
Continue Reading...
Posted in Building secure software, Open Source Security, Web Application Security
Some versions of JBoss contain CVE-2015-7501, a Java deserialization vulnerability that can allow remote code execution. Here’s how to mitigate it.
Continue Reading...
Posted in Security news and research
