This course is designed in such a way to address both the requirements of a Web Developer as well as a Web Pentester. For a Web Developer, he will get to know about secure coding, what all things can make his code insecure and how to identify security issues in his code. For the Web Security guy, it gives him an idea on how he should go with securing Node.js Application by performing effective Code Review, Implementing Secure Code, Pentesting, Automating the process of Code Review and finally exploiting the vulnerabilities identified.
As a take away, this course will introduce an open source Node.js Security Analysis tool named NodeJsScan, a Node.js Static Analysis Tool that can detect possible security issues, insecure code and outdated libraries. This tool allows you to extend the scan using it's customisable rule set. You can add your own rules on the go to catch security issues.
Finally this course is one of it's kind with hands on demonstration and walkthrough on identifying security issues, exploiting and fixing them.
The course will cover the following thing
• Node Specific Security Issues
• Global Namespace Pollution
• HTTP Parameter Pollution (HPP)
• eval() is Evil
• Remote OS Command Execution
• Untrusted User Input
• Regex DoS
• Information Disclosure
• Lack of Secure Code
• Code Review
• Automated Code Review with NodeJsScan
This lecture will give a walkthrough of the course.
This lecture covers Global Namespace Pollution issue in Node.js
This lecture covers HTTP Parameter Pollution in Node.js
This lecture covers the issues of untrusted user input in eval(), giving rise to issues like Remote Code Execution.
This lecture covers Remote OS Command Execution issues in Node.js
This lecture talks about the Attacks like XSS, and Directory Traversal that can occur due to Untrusted User Input.
This lecture covers DoS attacks on Bad Regex in Node.js
This lecture covers how information disclosure occurs in Node.js
This lecture covers the various secure code components that hardens your Node.js Application.
This lecture talks about how to perform effective code review of Node.js Application.
This lecture introduces NodeJsScan, an automated Node.js Static Code Analyzer developed by the author to perform code Review on Node.js Application.
This lecture concludes the Node.js Security: Pentesting and Exploitation course.
Ajin Abraham is an Application Security Engineer by profession having 5+ years of experience in Application Security including 2 years of Security Research. He is passionate on developing new and unique security tools than depending on pre existing tools that never work. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, MalBoxie, Firefox Add-on Exploit Suite, Static DOM XSS Scanner, NodeJsScan etc to name a few.
He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In the Box and c0c0n.