Live Demo: Exploiting Common Node.js Vulnerabilities and Securing Your Apps

During NodeConfBP, Snyk engineer Danny Grander presented a live hack of a vulnerable Node.js application built with Express 4.x, illustrating real‑world security risks in the npm ecosystem, which hosts over 380,000 modules and sees 6 billion downloads per month.

The demo app is deployed on Heroku ( https://goof-nodeconf-budapest.herokuapp.com ) and its source code is available on GitHub ( https://github.com/snyk/goof ).

Directory‑Traversal via the st Middleware

The first attack targets the st static‑file middleware, which before version 0.2.5 allowed directory‑traversal attacks. Using the following curl command, the attacker can read arbitrary files such as /etc/passwd:

curl https://goof-nodeconf-budapest.herokuapp.com/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

The response contains the contents of /etc/passwd.

XSS in the marked Markdown Renderer

The second vulnerability resides in the marked module (used for rendering markdown). Versions prior to 0.3.6 are vulnerable to cross‑site scripting. Danny injected a malicious link: [Gotcha](javascript:alert(1)) This payload executes JavaScript when rendered, demonstrating an XSS attack.

Remote Memory Exposure in Old mongoose Versions

Finally, Danny showed how outdated versions of the mongoose driver can be exploited for remote memory exposure.

Practical Secure‑Coding Tips

Escape all user‑provided input.

Validate the types of parameters passed to constructors.

Handle JSON data cautiously, avoiding unsafe operations.

For the full attack details and a comprehensive security checklist, see the original article linked in the presentation.