Building a Better Web
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

Patterns in Node.js vulnerabilities

Chetan Karande (YJ Consulting LLC)
3:35pm–4:15pm Thursday, June 14, 2018
Location: 210 C/G
Secondary topics:  Best practice, Technical, Web Pillars Track: Performance, Security, Accessibility
Average rating: **...
(2.00, 1 rating)

Who is this presentation for?

  • Web developers, software engineers, security engineers, security consultants, and security analysts

Prerequisite knowledge

  • A basic understanding of JavaScript, Node.js, and web security

What you'll learn

  • Explore common security mistakes made by Node.js package authors and learn how to avoid them


More than 500 Node.js packages get published to npm every day, and security researchers consistently discover and publish vulnerabilities found in these packages. Analysis of these vulnerabilities reveals some valuable insights for Node.js developers and security testers.

Chetan Karande shares the findings from an analysis of over a thousand publicly known Node.js vulnerabilities. With intuitive data visualizations and statistics, Chetan details trends over last five years, explores common security mistakes made by Node.js package authors, and explains how you can prevent these issues in your own code.

Topics include:

  • Frequently occurring vulnerabilities
  • Top vulnerabilities by severity
  • Occurrence of top vulnerabilities by year
  • Common mistakes, including:
    • Sensitive data exposure
    • Regular expression denial of service (ReDoS)
    • Directory traversal
    • Cross-site scripting
    • Injection
Photo of Chetan Karande

Chetan Karande

YJ Consulting LLC