Collaborate Disseminate
I wonder is these npm packages are secure enough to be used commerical projects?
it shows lots of security issues and npm audit fix sometimes dont fix them
Continue reading Is express.js and express-session is secure?
How can you do a CRSF attack on express if it only accepts JSON?
Sample Node app:
const express = require(‘express’);
const app = express();
app.use(express.json());
app.post(‘/item’, (req, res, next) => {
console.log(‘posting i… Continue reading CSRF attack when form data isn’t parsed
I have generated a public and private key pair with ECDH from NodeJS
function _genPrivateKey(curveName = "secp384r1", encoding = "hex") {
const private_0 = crypto.createECDH(curveName);
private_0.generateKeys();… Continue reading ECDH for P-521 (Web Crypto Api) / secp521r1 (NodeJS Crypto) generate a slightly different shared secret
I am working as an intern for an online coding platform startup (similar to LeetCode or HackerRank).
The backend is written in Nodejs. Instead of running the code in a sandbox of some sort, the lead dev decided to execute the submitted cod… Continue reading Spawning child processes from root using runuser command
Hamsters are great pets, especially for those with limited space or other resources. They are fun playful animals that are fairly easy to keep, and are entertaining to boot. [Kim]’s …read more Continue reading Hamster Goes on Virtual Journey
I’m bit confused about this security flaw. I’m in real need of help in this 🙂
My express code (not using any sessions, just cookie-parser)
app.get("/signin", (req, res) => {
if(!req.query.token) return res.status(403… Continue reading httpOnly Cookie Security Flaw
package.json file
{
"dependencies": {
"express": "^4.17.1",
"express-graphql": "^0.12.0",
"graphql": "^15.5.0",
"pg": "^8.5.1"
}
… Continue reading is it possible to do sql injection in nodejs with postgres databse when I use "text" and "values"?
Dynatrace announced enhancements to its Application Security Module, which the company released in December 2020. These include extending Dynatrace’s AI-powered risk assessment for applications running on Node.js, the runtime environment underpinning t… Continue reading Dynatrace extends its AI-powered risk assessment for applications running on Node.js
I’ve analyzed an app where I’ve found different vulnerabilities.
I could upload/overwrite, delete and download anything. All critical vulns, but I didn’t know how I could get rce without making damages. I thought that I could replace the e… Continue reading RCE on a server running nodejs
Does the npm package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps ask… Continue reading Does npm (Node.js package manager) provide cryptographic authentication and integrity validation?