1

For for my Understanding, I want to know if, since NodeJS is based on JavaScript, is there a possibility the end user can hack the code in a way that causes a security vulnerability.

What I mean is since the NodeJS is JavaScript, and JavaScript usually runs at browser, So is there a possibility that the end user who is access the application, can look into the business logic of the application?

In particular do any of JavaScript's known security vulnerabilities or precautions in browser based coding extend to server side programming? Or are there any other specific vulnerabilities peculiar to NodeJS that are not found in other server side languages?

user2845946
  • 1,755
  • 29
  • 38
RONE
  • 5,415
  • 9
  • 42
  • 71
  • It depends on what "hack the code" means to you, could you explain a little further? – aurbano Apr 02 '14 at 10:21
  • @Sari It was originally closed as 'unclear what you're asking'. Since the re-open votes had that as their reason to re-open, it's entirely possible to garner re-open votes for the wrong reason. The question's current issue is not "wunclear what you're asking"'; rather it's fundamentally too broad (1/2). – George Stocker Apr 03 '14 at 17:08
  • "Are there any specific vulnerabilities peculiar to NodeJS that are not found in other serverside langauges?" This asks that we compile a list of vulnerabilities, specifically those that are found in NodeJS and not in other languages, and then do work to determine which vulnerabilities are pecuilar to NodeJS. That's issue #1 for broadness; Issue #2: "Is there a possibility the end user can hack the code in a way that causes a security vulnerability?" I'm sure there are lots of ways, otherwise there wouldn't be a list of known issues. (2/2) – George Stocker Apr 03 '14 at 17:13
  • P.S.: Really, this question is too broad; but the best possible answer for these qusetions would simply be a link to the known issues / security vulnerability list. Is that really what we're for? – George Stocker Apr 03 '14 at 17:13
  • dont know why this question has been closed? it require more attention I guess – TAHA SULTAN TEMURI Jul 03 '20 at 10:13

1 Answers1

4

Your javascript code running on node.js is as safe as other server side technologies as this code cannot be actually accessed by the user directly.

But lack of knowledge or errors by the person writing the code can result in security vulnerabilities in any language / platform.

Ramesh
  • 13,043
  • 3
  • 52
  • 88
  • 1
    @Sari - Can you please care to elaborate? Node JS is a server side technology which uses javascript language and is same as PHP / ASP.NET – Ramesh Apr 02 '14 at 11:29
  • @Sari `eval` is evil and it have nothing to do with `node.js` in particular. Using `eval` in production could be extremely dangerous regardless of the technology you're using. – Leonid Beschastny Apr 02 '14 at 12:35
  • @Sari It sounds like you have valuable input on the question. IMHO it would better serve the community to upvote the question, vote to reopen, and add an actual answer. – mjhm Apr 02 '14 at 13:31
  • As I mentioned if you want to shoot your feet you can do it so. Programming language in this case JS is no way different from other languages such as PHP. As I mentioned But lack of knowledge or errors by the person writing the code can result in security vulnerabilities in any language / platform. Event ASP.NET and JEE had security vulnerabilities in the past. We can write secure javascript and it has been proved by apps such as gmail. Hence I am not saying there are 0 vulnerabilities. But I am saying it is as good as any other platform w.r.t vulnerabilities. – Ramesh Apr 03 '14 at 04:28
  • Can you throw some examples for the security feature lacked in node? – Ramesh Apr 03 '14 at 08:33
  • I was mentioning JS is used in Gmail front end (to counter your XSS, eval and other JS vulnerabilities). I have voted for reopening this question – Ramesh Apr 03 '14 at 08:34