Node.js Security: Pentesting and Exploitation
2.6 (15 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
150 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Node.js Security: Pentesting and Exploitation to your Wishlist.

Add to Wishlist

Node.js Security: Pentesting and Exploitation

Learn about Node.js Security by Code Review, Pentesting and Automation.
2.6 (15 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
150 students enrolled
Created by Ajin Abraham
Last updated 4/2016
English
Current price: $10 Original price: $65 Discount: 85% off
5 hours left at this price!
30-Day Money-Back Guarantee
Includes:
  • 1 hour on-demand video
  • 1 Supplemental Resource
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Learn how to do the Security Certification of Node.js Application
  • Learn how to build a secure Node.js Application
  • Learn how things can go wrong in Node.js
  • Learn to find security issues in Node.js Applications
  • Learn how to exploit the issues for PoC
View Curriculum
Requirements
  • Fundamentals of Web Applications
  • How to write and run a simple Node.js application
Description

Node.js® is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. This new technology is widely getting adopted in various organisations. Like any platform, Node.js has it's on set of features that developers blindly use without much thought on security. The heart of Node is JavaScript, so it inherits most of the issues that are found at client side JavaScript. However on the server side, it executes on V8 JavaScript engine which gives node the capabilities similar to that of any other server side scripting languages. That difference adds some unique attack surface to Node.js platform. Node.js Security: Pentesting & Exploitation course is one it's kind to teach about Node.js Security.

This course is designed in such a way to address both the requirements of a Web Developer as well as a Web Pentester. For a Web Developer, he will get to know about secure coding, what all things can make his code insecure and how to identify security issues in his code. For the Web Security guy, it gives him an idea on how he should go with securing Node.js Application by performing effective Code Review, Implementing Secure Code, Pentesting, Automating the process of Code Review and finally exploiting the vulnerabilities identified.

As a take away, this course will introduce an open source Node.js Security Analysis tool named NodeJsScan, a Node.js Static Analysis Tool that can detect possible security issues, insecure code and outdated libraries. This tool allows you to extend the scan using it's customisable rule set. You can add your own rules on the go to catch security issues.

Finally this course is one of it's kind with hands on demonstration and walkthrough on identifying security issues, exploiting and fixing them.

The course will cover the following thing

Introduction

Node Specific Security Issues

• Global Namespace Pollution

• HTTP Parameter Pollution (HPP)

• eval() is Evil

• Remote OS Command Execution

• Untrusted User Input

• Regex DoS

Information Disclosure

Lack of Secure Code

Code Review

Automated Code Review with NodeJsScan



Who is the target audience?
  • Web Developers
  • Web Application Pentesters
  • Security Engineers
  • Web Application Security Consultants
  • Web Security Enthusiasts
  • Hackers
  • Students
  • Web Application Designers
Students Who Viewed This Course Also Viewed
Curriculum For This Course
14 Lectures
01:08:31
+
Introduction
2 Lectures 03:35

This lecture will give a walkthrough of the course.

Preview 01:37

This lecture will give you a quick introduction to Node.js

Preview 01:58
+
Node.js Security Issues
6 Lectures 31:07

This lecture covers Global Namespace Pollution issue in Node.js

Preview 04:45

This lecture covers HTTP Parameter Pollution in Node.js

Preview 04:51

This lecture covers the issues of untrusted user input in eval(), giving rise to issues like Remote Code Execution.

Remote Code Execution with eval()
06:00

This lecture covers Remote OS Command Execution issues in Node.js

Remote OS Command Execution
04:11

This lecture talks about the Attacks like XSS, and Directory Traversal that can occur due to Untrusted User Input.

Attacks due to Untrusted user input
07:20

This lecture covers DoS attacks on Bad Regex in Node.js

Regex DoS
04:00
+
Information Disclosure
1 Lecture 03:20

This lecture covers how information disclosure occurs in Node.js

Information Disclosure in Node.js Web Applications
03:20
+
Secure Coding
1 Lecture 01:52

This lecture covers the various secure code components that hardens your Node.js Application.

Lack of Secure Code in Node.js
01:52
+
Code Review
1 Lecture 03:22

This lecture talks about how to perform effective code review of Node.js Application.

How to do Code Review of a Node.js Application
03:22
+
Automated Code Review
1 Lecture 06:20

This lecture introduces NodeJsScan, an automated Node.js Static Code Analyzer developed by the author to perform code Review on Node.js Application.

Automated Code Review of Node.js Application with NodeJsScan
06:20
+
Conclusion
2 Lectures 00:55

This lecture concludes the Node.js Security: Pentesting and Exploitation course.

Conclusion
00:55

Presentation PDF
18 pages
About the Instructor
Ajin Abraham
3.6 Average rating
103 Reviews
1,097 Students
4 Courses
Security Researcher

Ajin Abraham is an Application Security Engineer by profession having 5+ years of experience in Application Security including 2 years of Security Research. He is passionate on developing new and unique security tools than depending on pre existing tools that never work. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Xenotix xBOT, MalBoxie, Firefox Add-on Exploit Suite, Static DOM XSS Scanner, NodeJsScan etc to name a few.

He has been invited to speak at multiple security conferences including ClubHack, NULLCON, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In the Box and c0c0n.