close search bar

Sorry, not available in this language yet

close language selection

Node.js: Preventing common vulnerabilities in the MEAN stack

Synopsys Editorial Team

May 16, 2017 / 2 min read

Table of Contents

Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDBExpress.js (Core), Express.js (Sessions and CSRF), and AngularJS.

Development mode (Node.js/Express.js)

By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express returns more verbose errors which can result in information leakage. For example, the error message below returns the full path to the requested file. This also provides an attacker with information about the host system.

Software Security Node Error Message Display

Verbose error leaks full path to requested file

If the NODE_ENV variable is set to ‘production’ (or any value other than ‘development’), the Express server no longer returns the verbose message.

Setting NODE_ENV Variable in Node.js Runtime Environment

Setting NODE_ENV variable at runtime

 

Node.js Express Framework Displaying Generic Error Message

Express returns generic error message

Running Node.js with elevated privileges

On Unix systems, non-root users cannot bind to low-numbered ports. This means that Node.js must be run as root to bind to port 80. However, if we sudo to root to start our web server then our application will be running with unnecessary privileges. To remedy this, invoke the process.setgid and process.setuid methods in the callback function after binding to port 80 as shown below.

Exploring NodeJS Vulnerabilities in Software Security Analysis

Using this approach, we can still start the application with root privileges allowing us to bind to low-numbered ports before downgrading to a less-privileged user ID.

Node Security Platform

A common concern with open source technologies is using vulnerable components. The Node Security Platform (now part of npm) maintains a record of Node.js plugins with known security issues.

Identifying Vulnerable NodeJS Dependencies Using 'nsp' Command Line Tool in Software Security

Using 'nsp' command line tool to identify vulnerable Node.js dependencies

Series summary

The vulnerabilities covered during this series are not an exhaustive list. They exhibit some of the more common vulnerabilities encountered when using these technologies, especially with default configurations. Hopefully this information can be used to assist developers in creating more secure applications as well as help security testers identify bugs and flaws within existing applications.

Address your unique security needs

Continue Reading

Understanding Python pickling and how to use it securely

Understanding Python pickling and how to use it securely

Ashutosh Agrawal
By Ashutosh Agrawal

Apr 17, 2024 / 3 min read

Tags: Build Security into DevOps, Training
How to detect, prevent, and mitigate buffer overflow attacks

How to detect, prevent, and mitigate buffer overflow attacks

Natalie Lightner
By Natalie Lightner

Mar 31, 2024 / 8 min read

Tags: Software Integrity, Build Security into DevOps, SAST
4 approaches to vulnerability remediation

4 approaches to vulnerability remediation

Natalie Lightner
By Natalie Lightner

Mar 27, 2024 / 4 min read

Tags: SCA, Build Security into DevOps, Training, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Automotive
Build Secure Software
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Software Supply Chain
Security News & Research
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security