Log in
JavaScript Conferences
JSNation 2024JSNation 2024
EN

OWASP Top Ten Security Vulnerabilities in Node.js

Marco Ippolito
Marco Ippolito
Software Developer at NearForm. Node.js security team member.
certificate
Recording and certification are available to Multipass and Full ticket holders only
Please login if you have one.
Get Multipass
Rate this content
Bookmark

In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.

During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.

The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.

The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.

It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.


Table of contents:

- Broken Access Control

- Cryptographic Failures

- Injection

- Insecure Design

- Security Misconfiguration

- Vulnerable and Outdated Components

- Identification and Authentication Failures

- Software and Data Integrity Failures

- Security Logging and Monitoring Failures

- Server-Side Request Forgery

This workshop has been presented at JSNation 2024, check out the latest edition of this JavaScript Conference.

FAQ

The speaker of the workshop is Marco Ippolito, a senior security engineer at HeroDev and a member of the Node.js Technical Steering Committee.

The main topic of the workshop is security and Node.js, specifically focusing on the OWASP top 10 security vulnerabilities.

OWASP stands for Web Application Security Project. It is a nonprofit foundation that aims to improve the security of software and web applications through community-led open-source projects, documentation, and guidelines.

The OWASP top 10 security vulnerabilities are a list of the most common and impactful security risks for web applications. This list is updated regularly based on consensus and changes in technology and threats.

Participants need Node.js LTS version 20.14.0 or 18, Docker, Docker Compose, and Postman. They also need to clone the project repository and run specific npm commands to set up the environment.

Broken access control is a security vulnerability where a user is able to access data that does not belong to them. This often occurs due to improper implementation of user permissions and authentication mechanisms.

Cryptographic failure refers to the use of weak or broken cryptographic algorithms, or improper implementation of cryptographic processes, which can lead to sensitive data being exposed or compromised.

SQL injection is a type of security vulnerability where an attacker can execute arbitrary SQL code on a database by injecting malicious SQL queries via user input. This can lead to unauthorized access, data manipulation, and data breaches.

Multifactor authentication is important because it adds an additional layer of security beyond just a password. It helps ensure that even if a password is compromised, unauthorized access can still be prevented.

To prevent security misconfiguration, ensure proper configuration of servers, APIs, and applications, use automated deployment tools, regularly review and update security settings, and avoid using default credentials and settings.

node.jssecurity
Marco Ippolito
Marco Ippolito
97 min
19 Jun, 2024

Comments

Sign in or register to post your comment.

Video Summary and Transcription

The workshop covers the OWASP top 10 security vulnerabilities and provides practical exercises to fix them using Node.js and Fastify. Topics include access control, data encryption, password security, injection attacks, insecure design, preventing overbooking, rate limiting, security misconfiguration, cookies configuration, dependency management, identification and authentication failures, software and data integrity, deserialization vulnerability, and logging. Multifactor authentication and preventing server-side request forgery are also discussed. The importance of updating dependencies and following best practices to prevent vulnerabilities is emphasized.
Available in Español: Principales Diez Vulnerabilidades de Seguridad OWASP en Node.js
Video transcription and chapters available for users with access.
Available in other languages:

Watch more workshops on topic

Node.js Masterclass
Node Congress 2023Node Congress 2023
109 min
Node.js Masterclass
Top Content
Workshop
Matteo Collina
Matteo Collina
Have you ever struggled with designing and structuring your Node.js applications? Building applications that are well organised, testable and extendable is not always easy. It can often turn out to be a lot more complicated than you expect it to be. In this live event Matteo will show you how he builds Node.js applications from scratch. You’ll learn how he approaches application design, and the philosophies that he applies to create modular, maintainable and effective applications.

Level: intermediate
node.js
Build and Deploy a Backend With Fastify & Platformatic
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
WorkshopFree
Matteo Collina
Matteo Collina
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/). 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.
node.jscloudgraphqlfastify
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
reactweb developmentsecurityauthentication
Building a Hyper Fast Web Server with Deno
JSNation Live 2021JSNation Live 2021
156 min
Building a Hyper Fast Web Server with Deno
WorkshopFree
Matt Landers
Will Johnston
2 authors
Deno 1.9 introduced a new web server API that takes advantage of Hyper, a fast and correct HTTP implementation for Rust. Using this API instead of the std/http implementation increases performance and provides support for HTTP2. In this workshop, learn how to create a web server utilizing Hyper under the hood and boost the performance for your web apps.
node.jsdenobackend
0 to Auth in an Hour Using NodeJS SDK
Node Congress 2023Node Congress 2023
63 min
0 to Auth in an Hour Using NodeJS SDK
WorkshopFree
Asaf Shen
Asaf Shen
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool.
We will enhance a full-stack JS application (Node.JS backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session for subsequent client requests, validating / refreshing sessions
At the end of the workshop, we will also touch on another approach to code authentication using frontend Descope Flows (drag-and-drop workflows), while keeping only session validation in the backend. With this, we will also show how easy it is to enable biometrics and other passwordless authentication methods.
Table of contents- A quick intro to core authentication concepts- Coding- Why passwordless matters
Prerequisites- IDE for your choice- Node 18 or higher
javascriptnode.jsauthentication
GraphQL - From Zero to Hero in 3 hours
React Summit 2022React Summit 2022
164 min
GraphQL - From Zero to Hero in 3 hours
Workshop
Pawel Sawicki
Pawel Sawicki
How to build a fullstack GraphQL application (Postgres + NestJs + React) in the shortest time possible.
All beginnings are hard. Even harder than choosing the technology is often developing a suitable architecture. Especially when it comes to GraphQL.
In this workshop, you will get a variety of best practices that you would normally have to work through over a number of projects - all in just three hours.
If you've always wanted to participate in a hackathon to get something up and running in the shortest amount of time - then take an active part in this workshop, and participate in the thought processes of the trainer.
node.jsweb developmentgraphqlbeginner friendly

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Feross Aboukhadijeh
Feross Aboukhadijeh
Feross is the author and maintainer of WebTorrent, StandardJS, and 100s of other open source projects
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
node.jssecurity
Towards a Standard Library for JavaScript Runtimes
Node Congress 2022Node Congress 2022
34 min
Towards a Standard Library for JavaScript Runtimes
Top Content
James Snell
James Snell
Workers team @Cloudflare
There is a need for a standard library of APIs for JavaScript runtimes, as there are currently multiple ways to perform fundamental tasks like base64 encoding. JavaScript runtimes have historically lacked a standard library, causing friction and difficulty for developers. The idea of a small core has both benefits and drawbacks, with some runtimes abusing it to limit innovation. There is a misalignment between Node and web browsers in terms of functionality and API standards. The proposal is to involve browser developers in conversations about API standardization and to create a common standard library for JavaScript runtimes.
javascriptcomponent librarynode.js
ESM Loaders: Enhancing Module Loading in Node.js
JSNation 2023JSNation 2023
22 min
ESM Loaders: Enhancing Module Loading in Node.js
Gil Tayar
Gil Tayar
Microsoft, Israel
ESM Loaders enhance module loading in Node.js by resolving URLs and reading files from the disk. Module loaders can override modules and change how they are found. Enhancing the loading phase involves loading directly from HTTP and loading TypeScript code without building it. The loader in the module URL handles URL resolution and uses fetch to fetch the source code. Loaders can be chained together to load from different sources, transform source code, and resolve URLs differently. The future of module loading enhancements is promising and simple to use.
node.js
Out of the Box Node.js Diagnostics
Node Congress 2022Node Congress 2022
34 min
Out of the Box Node.js Diagnostics
Colin Ihrig
Colin Ihrig
Member of the Node.js Technical Steering Committee
This talk covers various techniques for getting diagnostics information out of Node.js, including debugging with environment variables, handling warnings and deprecations, tracing uncaught exceptions and process exit, using the v8 inspector and dev tools, and generating diagnostic reports. The speaker also mentions areas for improvement in Node.js diagnostics and provides resources for learning and contributing. Additionally, the responsibilities of the Technical Steering Committee in the TS community are discussed.
node.js
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Phil Nash
Phil Nash
DataStax
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
securityauthentication
Node.js Compatibility in Deno
Node Congress 2022Node Congress 2022
34 min
Node.js Compatibility in Deno
Bartek Iwanczuk
Bartek Iwanczuk
Deno core team member
Deno aims to provide Node.js compatibility to make migration smoother and easier. While Deno can run apps and libraries offered for Node.js, not all are supported yet. There are trade-offs to consider, such as incompatible APIs and a less ideal developer experience. Deno is working on improving compatibility and the transition process. Efforts include porting Node.js modules, exploring a superset approach, and transparent package installation from npm.
node.jsdenojs runtimes