1. HTTP Server DoS (CWE-400)
- Description: An attacker may cause a server to become unavailable because some other application has consumed all the available resources, or they may force the server itself to consume all its resources, making it unavailable for use. This attack can be perpetrated by malicious actors but is also considered a risk when clients are poorly configured. One such class of attack is Slowloris that sends requests at a slow rate while holding resources with intent to exhaust available capacity on a targeted server.
- Mitigations:
- Reverse proxy mechanisms such as Nginx can handle requests, and it can manage load balancing or caching for the same.
- Proper Timeout Settings: Apply server timeouts, such as headersTimeout and requestTimeout, that could drop idle or slow connections.
- Limit Open Sockets: Apply a limit on the number of open connections to avoid resource overuse.
2. DNS Rebinding (CWE-346)
- Description: An attack wherein an attacker tricks the browser into allowing requests to a local host because of manipulation of DNS responses. This will further reveal sensitive information from some local service that is running with debugging mode turned on.
- Mitigations:
- Disable Inspector in Production: Ensure the debugging inspector is turned off in the production environment.
- Input Validation and Error Handling: The inspector should only be activated at specific signals. Attach listeners to signals such as, but not limited to, SIGUSR1.
3. Exposure of Sensitive Information to Unauthorized Actors (CWE-552)
- Description: Publishing an npm package may upload all files in the current directory. This may leak sensitive data unintentionally.
- Mitigations:
Use .npmignore and .gitignore: Creating the ignore files allows specification of which files to exclude during publication.
Use npm publish --dry-run: Allows previewing of what would be published without actually publishing.
4. HTTP Request Smuggling (CWE-444)
- Explanation: Passes forged requests through a proxy to confuse how two servers interpret HTTP requests-the front-end and back-end-to allow malicious requests to bypass security.
- Mitigations:
- Insecure HTTP Parser: At creation, make sure this option is not used in creating HTTP servers.
- Normalize Requests: Configure the front-end servers to handle ambiguous requests consistently.
5. Information Exposure Through Timing Attack (CWE-208)
* Description: Attackers detect sensitive information by observing response times. Timing attacks may be performed to compare secrets such as passwords.
- Mitigations:
- Use crypto.timingSafeEqual: This allows for the secure comparison of sensitive values in constant time and mitigates timing attacks.
6. Vulnerable Third-Party Dependencies (CWE-1357)
- Explanation: Node.js applications load and execute arbitrary code contained within installed packages, and these could be malicious in nature.
- Mitigations:
- Pin versions of dependencies: Always declare exact versions of your dependencies to prevent automated updates to malicious versions.
- Regular dependency audits: Using tools for periodic scanning of vulnerabilities within dependencies.
7. Supply Chain Attacks
Attacks that leverage the dependencies: a vulnerable upstream package introduces vulnerabilities into your application. Mitigation To block running arbitrary scripts of packages by npm, use --ignore-scripts. Using lockfiles-Lockfiles ensure that the dependencies are locked to using the exact versions.
8. Memory Access Violation CWE-284
- Description: These attacks rely on memory management errors that may occur in shared environments and may result in sensitive information disclosure.
- Mitigations:
- Avoid Shared Environments: Do not run production applications on shared machines.
9. Monkey Patching CWE-349
- Explanation: This is one of the modifications done to built-in objects or functions at runtime and may create unpredictable behavior or even security vulnerabilities.
- Mitigations:
- Use --frozen-intrinsics: switch to keep built-in JavaScript objects untouched and assure original behavior.
10. Prototype Pollution Attacks (CWE-1321)
- Explanation: Attackers can manipulate prototype chains of JavaScript objects, which could lead to severe issues in applications.
- Mitigations:
- Avoid Insecure Merges: For merging objects, make sure it is done using safe methods. Extra caution needs to be taken while dealing with untrusted data.
- Use Object.create(null): Ensure objects are created without prototypes as a defense against prototype pollution.
