OWASP Toronto - June 2017 Chapter Event

Description:

The Node.js Highway: Attacks Are At Full Throttle

Node.js is the drive-and-go language and its popularity is soaring. Five years after its debut, and the language’s framework boasts more 2M downloads a month. Before accelerating too quickly, it is important to understand the power – and corresponding mishaps – of this language. In this talk, we demonstrate new attack techniques against applications built on top of the Node.js language. Attacks include:

• Application-layer DDoS attacks. Bringing a server to its knees with just 4(!) requests.

• Password exposure attacks. Leveraging the “Forgot My Password” feature of applications in order to reveal the passwords of all the application’s users

• Business logic attacks. Running malicious code on all machines of users of the applications when exploiting a weak business feature.

Presenter Bio:

Susan St.Clair, CWAPT

Solution Engineer – Checkmarx

Susan currently works with organizations to help implement secure coding practices as part of their SDLC as part of the Checkmarx GTA team. She has over 15 years of experience working with application teams in the software industry.

She was previously a product manager and solution engineer with Codiscope, now part of Synopsys.