Building a Better Web
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

Patterns in Node Vulnerabilities

3:35pm–4:15pm Thursday, June 14, 2018
Location: 210 C/G Level: Intermediate
Secondary topics:  Best practice, Technical, Web Pillars Track: Performance, Security, Accessibility

Who is this presentation for?

Web Developers, Software Engineers, Security Engineers, Security Consultants, Security Analysts

Prerequisite knowledge

Basic understanding of JavaScript, Node.js, and web security.

What you'll learn

The audience will gainĀ an understanding of common security mistakes made by Node package authors and learn how to avoid these in their own application code or Node packages.


More than 500 Node packages get published to npm every day. Even though at a slower pace, security researchers consistently discover and publish vulnerabilities found in these packages. Analysis of these vulnerabilities reveals some valuable insights for Node developers and security testers. This presentation walks the audience through patterns found in over thousand publicly known Node vulnerabilities. It covers:

  • Frequently occurring vulnerabilities,
  • Top vulnerabilities by severity,
  • Occurrence of top vulnerabilities by year

Further, the presentation will highlight common programming mistakes that caused some of the top vulnerabilities, including:

  • Sensitive Data Exposure
  • Regular Expression Denial of Service (ReDoS)
  • Directory Traversal
  • Cross-Site Scripting
  • Injection

The information gained from this presentation would help the audience to be aware of and avoid common security issues when developing their own Node packages or Node application code.

Photo of Chetan Karande

Chetan Karande


Chetan Karande is a full stack web developer, security researcher, author, and speaker at developer conferences.

He is the author of Securing Node Applications (O’Reilly Media) and contributor to multiple open source projects.

He is a member of the Open Web Application Project (OWASP) organization and a project leader for the OWASP NodeGoat project, an open source learning platform for Node.js security.

He works as a Principal Software Engineer at DTCC, with a focus on building fast, maintainable, and secure user interfaces.

Leave a Comment or Question

Help us make this conference the best it can be for you. Have questions you'd like this speaker to address? Suggestions for issues that deserve extra attention? Feedback that you'd like to share with the speaker and other attendees?

Join the conversation here (requires login)