Node.js Security: Pentesting and Exploitation

Learn about Node.js Security by Code Review, Pentesting and Automation.
3.1 (11 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
124 students enrolled
$19
$65
71% off
Take This Course
  • Lectures 14
  • Length 1 hour
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works

Discover

Find online courses made by experts from around the world.

Learn

Take your courses with you and learn anywhere, anytime.

Master

Learn and practice real-world skills and achieve your goals.

About This Course

Published 3/2015 English

Course Description

Node.js® is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. This new technology is widely getting adopted in various organisations. Like any platform, Node.js has it's on set of features that developers blindly use without much thought on security. The heart of Node is JavaScript, so it inherits most of the issues that are found at client side JavaScript. However on the server side, it executes on V8 JavaScript engine which gives node the capabilities similar to that of any other server side scripting languages. That difference adds some unique attack surface to Node.js platform. Node.js Security: Pentesting & Exploitation course is one it's kind to teach about Node.js Security.

This course is designed in such a way to address both the requirements of a Web Developer as well as a Web Pentester. For a Web Developer, he will get to know about secure coding, what all things can make his code insecure and how to identify security issues in his code. For the Web Security guy, it gives him an idea on how he should go with securing Node.js Application by performing effective Code Review, Implementing Secure Code, Pentesting, Automating the process of Code Review and finally exploiting the vulnerabilities identified.

As a take away, this course will introduce an open source Node.js Security Analysis tool named NodeJsScan, a Node.js Static Analysis Tool that can detect possible security issues, insecure code and outdated libraries. This tool allows you to extend the scan using it's customisable rule set. You can add your own rules on the go to catch security issues.

Finally this course is one of it's kind with hands on demonstration and walkthrough on identifying security issues, exploiting and fixing them.

The course will cover the following thing

Introduction

Node Specific Security Issues

• Global Namespace Pollution

• HTTP Parameter Pollution (HPP)

• eval() is Evil

• Remote OS Command Execution

• Untrusted User Input

• Regex DoS

Information Disclosure

Lack of Secure Code

Code Review

Automated Code Review with NodeJsScan



What are the requirements?

  • Fundamentals of Web Applications
  • How to write and run a simple Node.js application

What am I going to get from this course?

  • Learn how to do the Security Certification of Node.js Application
  • Learn how to build a secure Node.js Application
  • Learn how things can go wrong in Node.js
  • Learn to find security issues in Node.js Applications
  • Learn how to exploit the issues for PoC

What is the target audience?

  • Web Developers
  • Web Application Pentesters
  • Security Engineers
  • Web Application Security Consultants
  • Web Security Enthusiasts
  • Hackers
  • Students
  • Web Application Designers

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.

Curriculum

Section 1: Introduction
01:37

This lecture will give a walkthrough of the course.

01:58

This lecture will give you a quick introduction to Node.js

Section 2: Node.js Security Issues
04:45

This lecture covers Global Namespace Pollution issue in Node.js

04:51

This lecture covers HTTP Parameter Pollution in Node.js

06:00

This lecture covers the issues of untrusted user input in eval(), giving rise to issues like Remote Code Execution.

04:11

This lecture covers Remote OS Command Execution issues in Node.js

07:20

This lecture talks about the Attacks like XSS, and Directory Traversal that can occur due to Untrusted User Input.

04:00

This lecture covers DoS attacks on Bad Regex in Node.js

Section 3: Information Disclosure
03:20

This lecture covers how information disclosure occurs in Node.js

Section 4: Secure Coding
01:52

This lecture covers the various secure code components that hardens your Node.js Application.

Section 5: Code Review
03:22

This lecture talks about how to perform effective code review of Node.js Application.

Section 6: Automated Code Review
06:20

This lecture introduces NodeJsScan, an automated Node.js Static Code Analyzer developed by the author to perform code Review on Node.js Application.

Section 7: Conclusion
00:55

This lecture concludes the Node.js Security: Pentesting and Exploitation course.

Presentation PDF
18 pages

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Ajin Abraham, Security Researcher

Ajin Abraham is an Application Security Engineer by profession having 5+ years of experience in Application Security including 2 years of Security Research. He is passionate on developing new and unique security tools than depending on pre existing tools that never work. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, MalBoxie, Firefox Add-on Exploit Suite, Static DOM XSS Scanner, NodeJsScan etc to name a few.

He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In the Box and c0c0n.


Ready to start learning?
Take This Course