According to SC Magazine, The Node.js Foundation has revealed a couple of bugs within its JavaScript software that could lead to major denial of service attacks against websites using the code. The issues affect versions of Node.js from version 0.12 up to version 5.
[su_note note_color=”#ffffcc” text_color=”#00000″]Or Wilder, Security Researcher at Imperva :
What is Node.JS?
“Node.js is very popular among new startups and companies that chose to use a “FullStack” based web-environment. It allows companies to accelerate web applications development.
Node is becoming more popular in large-scale organisations, its usage increased by 240% in the last year, however, according to recent market surveys its distribution is still on the low side compared to other web-frameworks. It is currently in use by companies like PayPal, Linkedin, HP etc.”
How likely are hackers to use this flaw?
“We’ve witnessed attackers leveraging all kinds of DoS vulnerabilities to attack web-based infrastructures; attackers tend to adjust their methods to the attacked platform. We’re likely to start seeing DoS attack attempts right after a vulnerability is publicly disclosed. Due to the high popularity on Node.JS, it will probably be incorporated into DoS attack tools.”
Aside from patching, what steps can organisations take to protect themselves?
“It is always a good practice to have a WAF/L7 DDoS solution in place. Organisations must take measures to have an always-on solution and enjoy the benefits of virtual patching of their web-applications by their security providers.”
How bad could an attack be against a company’s infrastructure?
“The vulnerability is an application level vulnerability, thus, infrastructures are not directly affected by it, however, attackers may use it to take-down servers with other services on them. Organisations with web-facing-applications that are heavily based on Node.JS would be vulnerable to this kind of attack. An attacker on a single machine would be able to completely take down those services.
Although there is no publicly disclosed information regarding the vulnerability, our past experience shows that a vulnerable web service could be used to corrupt the entire service or other relying services.”[/su_note]
[su_box title=”About Imperva®” style=”noise” box_color=”#336588″]Imperva® (NYSE:IMPV), is a leading provider of cyber security solutions that protect business-critical data and applications. The company’s SecureSphere, Incapsula and Skyfence product lines enable organizations to discover assets and risks, protect information wherever it lives – in the cloud and on-premises – and comply with regulations. The Imperva Application Defense Center, a research team comprised of some of the world’s leading experts in data and application security, continually enhances Imperva products with up-to-the-minute threat intelligence, and publishes reports that provide insight and guidance on the latest threats and how to mitigate them. Imperva is headquartered in Redwood Shores, California.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.