Our website makes use of cookies like most of the websites. In order to deliver a personalised, responsive and improved experience, we remember and store information about how you use it. This is done using simple text files called cookies which sit on your computer. These cookies are completely safe and secure and will never contain any sensitive information. By clicking continue here, you give your consent to the use of cookies by our website.

CCI
Thursday, 03 December 2015 13:04

Is your site affected by the bugs in Node.js?

Posted By  Or Wilder

Node.js versions v0.12.x through to v5.x inclusive have a set of bugs that allow an external attacker to create a denial of service attack, is your site protected or vulnerable?

For those worried about the Node.js Foundation announcement that there are bugs within its JavaScript software we’ve asked Imperva’s Security Researcher Or Wilder to help out with a quick guide on what to do to prevent your site succumbing to a denial of service attack.

According to Node.js the issues affect versions of Node.js from version 0.12.x up to version 5.x..

What is Node.JS?

Node.js is very popular among new startups and companies that chose to use a “FullStack” based web-environment. It allows companies to accelerate web applications development.

Node is becoming more popular in large-scale organisations, its usage increased by 240% in the last year, however, according to recent market surveys its distribution is still on the low side compared to other web-frameworks. It is currently in use by companies like PayPal, Linkedin, HP etc.

How likely are hackers to use this flaw?

We’ve witnessed attackers leveraging all kinds of DoS vulnerabilities to attack web-based infrastructures; attackers tend to adjust their methods to the attacked platform. We’re likely to start seeing DoS attack attempts right after a vulnerability is publicly disclosed. Due to the high popularity on Node.JS, it will probably be incorporated into DoS attack tools.

Aside from patching, what steps can organisations take to protect themselves?

It is always a good practice to have a WAF/L7 DDoS solution in place. Organisations must take measures to have an always-on solution and enjoy the benefits of virtual patching of their web-applications by their security providers.

How bad could an attack be against a company's infrastructure?

The vulnerability is an application level vulnerability, thus, infrastructures are not directly affected by it, however, attackers may use it to take-down servers with other services on them. Organisations with web-facing-applications that are heavily based on Node.JS would be vulnerable to this kind of attack. An attacker on a single machine would be able to completely take down those services.

Although there is no publicly disclosed information regarding the vulnerability, our past experience shows that a vulnerable web service could be used to corrupt the entire service or other relying services.

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

cci-app-store-apple

CCi-with-android

255x635 banner2-compressed