Writing secure code in a way that stops code injection could look like an usual task, but there are numerous pitfalls along the way. e.g, the fact that a developer follows best security practices does not mean that others developers are doing the exact. You are most probably using open source packages in your applications. How do you be aware if those were developed securely? What if insecure code like eval() exists there? Let’s discuss it in more detail.

What is code injection?

Code injection is a special form of broad injection attacks, in which an attacker can transfer JavaScript or Node.js code that is clarified by the browser or the Node.js runtime.The security exposure manifests when the interpreter is not able to make a difference between the trusted code the developer intended, and the injected code that is provided by attacker as an input.

How to stop code injection?

As a key secure coding way, do not let any dynamic code implementation in the application.This means we ought to avoid language constructs like eval and code strings given to setTimeout() or the Function constructor.Secondly, keep away from serialization which might be unsafe to injection attacks that execute code in the serialization process. Lastly, do dependency scanning to make sure that your application isn’t vulnerable to this attack due to third-party open source components. Moreover, if we use a static code analysis tool like Google’s Closure Compiler we can search these potential code injection security vulnerabilities in our or our colleagues’ code.

• Avoid eval(), setTimeout(), and setInterval()
• Avoid new Function()
• Avoid code serialization in JavaScript
• Use a Node.js security linter

#nodejs #react #javascript #web-development #node