The Node.js Highway: Attacks Are At Full Throttle

Presented at BSides Austin 2016, March 31, 2016, 2:30 p.m. (60 minutes).

Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language's framework boasts more 2M downloads a month. Before accelerating too quickly, it is important to understand the power - and corresponding mishaps - of this language. In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language. Attacks include: • Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests. • Password exposure attacks. Leveraging the "Forgot My Password" feature of applications in order to reveal the passwords of all the application's users • Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature

Presenters:

  • Joshua S. Clark
    Joshua S. Clark, CISSP, Solutions Architect at Checkmarx Joshua has over 10 years of experience in information security and application development in multiple industries such as high-tech, banking, healthcare, insurance, telecom, utilities, and government. Prior to joining Checkmarx, Joshua worked at IBM Security as a world-wide application security expert providing strategic application security solutions and led numerous trainings on the subject. He has also presented various industry conferences like IBM InterConnect and community events like Day of Dot.NET. Joshua received his B.S.B.A. in Management Information Systems from University of North Carolina at Charlotte and holds a CISSP certification from (ISC)2.

Links:

Similar Presentations: