"'Hidden Property Abusing' Allows Attacks on Node.js Applications"

A team of researchers from the Georgia Institute of Technology discovered a new method for exploiting Node.js applications. The technique involves the abuse of hidden properties used to track internal program states. A remote attacker can use the technique, called Hidden Property Abusing, to inject new values into Node.js programs by passing objects that the framework, under certain conditions, will consider as internal data. The researchers analyzed a sample of 60 major Node.js components, using a tool they developed dubbed Lynx. The tool helped them identify 13 vulnerabilities, including SQL injection and the ability to circumvent input validation. This article continues to discuss the Hidden Property Abusing attack technique that could be used against Node.js applications, the discovery of vulnerabilities in Node.js components, and the Lynx tool created to help developers identify potential attack vectors in their Node.js programs.

Dark Reading reports "'Hidden Property Abusing' Allows Attacks on Node.js Applications"