The Node.js Highway: Attacks Are At Full Throttle

Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month. Before accelerating too quickly, it is important to understand the power - and corresponding mishaps - of this language. In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language. Attacks include: --Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests. --Password exposure attacks. Leveraging the "Forgot My Password" feature of applications in order to reveal the passwords of all the application's users --Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature