www.nodejs-security.com
Open in
urlscan Pro
76.76.21.241
Public Scan
URL:
https://www.nodejs-security.com/
Submission: On July 23 via automatic, source certstream-suspicious — Scanned from DE
Submission: On July 23 via automatic, source certstream-suspicious — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
🦄 Node.js Security
Node.js Security Books
* Command Injection
* Path Traversal
* Code Injection
* Essential Node.js Security
Books Bundle
All Books
* Newsletter
* Training
* Blog
SHIP SECURE JAVASCRIPT APPS
Master secure coding practices you can apply at work
* Defending Against Command Injection Vulnerabilities
* Prevention and Exploitation of Path Traversal Vulnerabilities
2 training books for $115.20 $43.77
Buy Now
> "If you're a Node.js developer you need this book! Always been a huge fan of
> your work! You earned the praise many times over Liran"
Jim Manico
CEO at Manicode Security & Legendary OWASP Global Board Member
223 Pages
1M+ Millions of downloads of vulnerable packages
21 Chapters
19 Vulnerable npm Packages
73 Self-assessment Questions
+99
Join Kyriakos, Sergio, Mateo, and hundreds of developers who learn from Liran
Tal
LITERALLY, THE ONLY NODE.JS SECURE CODING BOOKS ON AMAZON.
Get the paperback version of Node.js Secure Coding books on Amazon.com.
Buy on Amazon $33.87
Even better, SAVE 62% and get 2 digital editions of Node.js Secure Coding books
in PDF and EPUB straight to your inbox.
Get 2 Books for $43.77
SHARPEN YOUR NODE.JS CODING SKILLS
Here is a classic Fastify application code. Can you find the security
vulnerability in the code below?
Vulnerable Code
const fs = require("fs");
const path = require("path");
const fastify = require("fastify")();
const config = require('./config.json');
fastify.get("/static", async (req, rep) => {
const filename = req.query.filename;
const filePath = path.join(
"/opt/app/uploads", filename);
try {
const fileContents = fs.readFileSync(
filePath);
rep.code(200).send(fileContents);
} catch (err) {
rep.code(404).send("File not found");
}
});
fastify.listen({ port: 3000 });
Don't give in to security vulnerabilities.
$ npm install url-parse serve @sveltejs/kit next react-svg
added 74 packages, and audited 74 packages in 24s
24 high severity vulnerabilities
Master Node.js security and secure coding best practices through analyzing and
exploiting real-world vulnerable npm packages.
*
*
*
MEET LIRAN TAL, THE AUTHOR.
SECURITY ANALYST FOR THE NODE.JS FOUNDATION
In his role as a security analyst in the Node.js Foundation's Security Working
Group, Liran reviewed hundreds of vulnerability reports for npm packages and
established processes for responsible security disclosures and vulnerability
triage 🏴☠️.
EDUCATION IS A CORE PRACTICE
Passionate about educating developers on application security and secure coding
practices, Liran is a world-wide international speaker, workshop instructor, and
author of several books on the subject. He occasionally speaks on software
security topics at academic institutions, such as presenting to students at the
Electrical and Computer Engineering School at Purdue University 🎓.
AWARD-WINNING GITHUB STAR ⭐️
Liran received the GitHub Star recognition award from GitHub for his work
educating and inspiring developers and actively advocating for web security.
RECIPIENT OF THE PATHFINDER FOR SECURITY AWARD 🎖️
Honored by the OpenJS Foundation with the Pathfinder for Security Award, Liran
is recognized for his work advancing Node.js security.
I'M A SECURITY RESEARCHER
An accomplished security researcher, Liran has disclosed security
vulnerabilities in various open source software projects, including being
credited with CVEs to his name for vulnerabilities in npm packages with millions
of downloads.
ACCLAIMED RECOGNITION AT BLACK HAT
Liran's discovery in supply chain security research, including Lockfile
Injection, was presented at the prestigious Black Hat Europe 2021 cybersecurity
conference. Liran is also the creator of several developer security tooling
projects such as npq, is-website-vulnerable, and snync, which help developers
and enterprises defend against dependency confusion attacks.
ABOUT LIRAN TAL
Liran Tal is an accomplished software developer, respected security researcher,
and prominent advocate for open source software in the JavaScript community. As
an experienced author and educator, Liran has written several widely respected
books on software security. These include "Serverless Security" published by
O'Reilly, as well as the self-published titles "Essential Node.js Security" and
"Web Security: Learning HTTP Security Headers". Liran's leadership in open
source security includes significant contributions to OWASP projects, recording
supply chain security incidents at the CNCF, and various OpenSSF initiatives.
Currently, Liran is a developer advocate at Snyk where he empowers developers
with the knowledge and tools needed to build and deploy secure software.
DIGITAL BOOK
PDF & EPUB
The book features:
* 106 Pages
* 12 Vulnerable npm Packages
* 33 Self-assessment Questions
* 10 Chapters
* Light Mode
* Dark Mode SPECIAL EDITION
* July 2023 release
* Sale 30% OFF
$57.60 $40.32
Buy Now
Learn more about the book
Tip: get 2 secure coding books bundle for $43.77 and save 62% Buy Bundle
BOUGHT BY DEVELOPERS FROM THESE COMPANIES
DIGITAL BOOK
PDF & EPUB
The book features:
* 117 Pages
* 7 Vulnerable npm Packages
* 40 Self-assessment Questions
* 11 Chapters
* Light Mode
* Dark Mode SPECIAL EDITION
* September 2023 release
* Sale 30% OFF
$57.60 $40.32
Buy Now
Learn more about the book
Tip: get 2 secure coding books bundle for $43.77 and save 62% Buy Bundle
TEST YOUR NODE.JS SECURE CODING SKILLS
Is the code below vulnerable to a Path Traversal attack?
Vulnerable code... is it?
const fastify = require('fastify')
const path = require('path')
const downloadsPath = '/opt/downloads'
const app = fastify()
app.get('/download', async (req, rep) => {
const file = req.query.file || 'default.png'
if (file.includes('..')) {
return rep.code(400)
.send('Directory Traversal Detected')
}
const normalizedFilename = path.normalize(file)
const downloadFilepath = path.resolve(
downloadsPath,
'downloads',
normalizedFilename)
try {
await rep.sendFile(downloadFilepath)
} catch (err) {
rep.code(404).
send('Requested File Not Found')
}
})
LEADING DEVELOPERS LOVE NODE.JS SECURE CODING
Read testimonials and learn what the developer community has to say about the
books and their recommendations to skill up on Node.js Secure Coding practices.
> "I have finished reading Node.js Secure Coding from Liran Tal. I read the
> whole thing in an hour without realizing it. I learned and discovered a few
> things along the way. I laughed at the IFS, didn't see it coming."
*
*
*
*
*
--------------------------------------------------------------------------------
Thomas Gentilhomme
Node.js lead at MyUnisoft, Node Security WG
> "Liran Tal, your book on Node.js security is an absolute gem! The abundance of
> real-world examples with commented fixes is incredibly valuable. Your
> practical solutions have enlightened me, especially the discovery of the
> shell-quote module! Recommended to all Node.js developers!"
*
*
*
*
*
--------------------------------------------------------------------------------
Manuel Spigolon
Senior Software Developer at NearForm
> "I wholeheartedly enjoyed working and learning from Liran's expertise in
> securing applications. With extensive experience speaking at global
> conferences and actively contributing code to the community, he is a true
> authority in the field. I highly endorse both his enlightening book and
> engaging workshop, as they are invaluable resources for anyone looking to
> enhance their understanding and implementation of application security"
*
*
*
*
*
--------------------------------------------------------------------------------
Yoni Goldberg
Software Architect, Node.js Specialist
> "Liran Tal just published a new book about Node.js secure coding. It is worth
> taking a look at!"
*
*
*
*
*
--------------------------------------------------------------------------------
Daniel Garcia
Cybersecurity & API Security Consultant
> "I highly recommend the new Node.js Secure Coding book published by Liran Tal.
> Covers not only Node.js but also gives you another perspective on how to
> achieve good and secure applications, especially with understanding and
> handling SAST vulnerabilities. Liran - CHAPEAU!"
*
*
*
*
*
--------------------------------------------------------------------------------
Eli (Tom) Lelonek
Application Security Manager at Allot
> "Got my copy of Node.js secure coding! I already know I'll learn a lot 🔥"
*
*
*
*
*
--------------------------------------------------------------------------------
Marco Ippolito
Node.js Collaborator & Developer Experience Engineer @NearForm
> "A very interesting book that I recommend if you are in the Node.js world is
> "Node.js Secure Coding" by Liran Tal. Laid out with explanations, examples and
> tips. Warmly recommended."
*
*
*
*
*
--------------------------------------------------------------------------------
Diego Betto
Founder & Senior Fullstack Developer
> "Read trough first 3 chapters last night, nice work Liran!"
*
*
*
*
*
--------------------------------------------------------------------------------
Aranđel Šarenac
12+ years developer, focusing on Identity Security
> "Highly recommend Liran Tal's ebooks for any Node developers who are serious
> about security (which should be all of you!)"
*
*
*
*
*
--------------------------------------------------------------------------------
Alicia Sykes
Principal Engineer @AND Digital
> "Started reading the Prevention and Exploitation of Path Traversal and I am
> very happy with the quality. It is connecting me to some knowledge I had from
> working in AV company and now with code, very interesting."
*
*
*
*
*
--------------------------------------------------------------------------------
Yana Ifraimov
NOC Engineer @Skai
> "Advice: purchase both and read them end to end. At first they seem very
> topical and tied to a single family of vulnerabilities each, but Liran does
> amazing job at going deep, showing variety of real world exploits, how to
> remediate and code defensively better. 10/10 recommend"
*
*
*
*
*
--------------------------------------------------------------------------------
Aranđel Šarenac
12+ years developer, focusing on Identity Security
> "Node.js security rock-star Liran Tal drops another book on how to ship safe
> Node.js applications. I know it's hard to tell sometimes where to start from
> when it comes to security, as the internet is flooded with content. Well, look
> no more - trust content composed by Liran"
*
*
*
*
*
--------------------------------------------------------------------------------
Gal Weizman
Browser JS Application Security at MetaMask & LavaMoat
> "It's not every day that you can pay less than $20 for years of security
> wisdom. Just got this and will be using the book during my streams to improve
> my code."
*
*
*
*
*
--------------------------------------------------------------------------------
Ray Fernando
AI app at TruthTorch.ai, ex-Apple Engineer
> "The amount of content covering advanced topics in Node.js is so little, makes
> this a must-read"
*
*
*
*
*
--------------------------------------------------------------------------------
Ruan Martinelli
Product engineer, Full-stack Freelancer & Consultant
> "Outstanding book, can't wait."
*
*
*
*
*
--------------------------------------------------------------------------------
Tiger Abrodi
TypeScript fanatic
> "I've followed Liran Tal's work for years and definitely one of the top
> experts in Node.js security! Give these a look as they are essential for
> anyone serious about securing their Node.js applications."
*
*
*
*
*
--------------------------------------------------------------------------------
Zac Rosenbauer
CTO & Co-founder at Joggr
> "Just got my hands on your new book and I'm thoroughly impressed! It's clear
> that your passion for application security and deep understanding of Node.js
> shines through every page"
*
*
*
*
*
--------------------------------------------------------------------------------
Zeal Chhasatiya
Security Analyst at Shared Services Canada
> "If you're a developer looking to better understand security vulnerabilities,
> this is one of the best books out there on the topic. While this book
> specifically focuses on Command Injection vulnerabilities in Node, the content
> contained within is broadly applicable to any developers writing software.
> It's an A++ book and absolutely worth the time to read and analyze. Liran is a
> top-tier security researcher and developer who's an icon in the security
> space. Seriously, look him up on Google, he's amazing."
*
*
*
*
*
--------------------------------------------------------------------------------
Randall Degges
Head of Developer Relations & Community at Snyk
> "Psyched to get my copy of Liran Tal's book: "Node.js Secure Coding: Defending
> Against Command Injection Vulnerabilities" Do yourself a favor and grab a
> copy!"
*
*
*
*
*
--------------------------------------------------------------------------------
Micah Silverman
Director, DevSecOps Acceleration at Snyk
> "I am just starting to read it now that I am doing security patching in
> Express. The book looks amazing! I mean... all the series is an amazing work,
> thanks a lot for investing the time to write them."
*
*
*
*
*
--------------------------------------------------------------------------------
Ulises Gascón
Express TSC & Node.js Collaborator
DEFEND AGAINST COMMAND INJECTION IN NODE.JS
SECURITY EDUCATION MODULES IN THE BOOK
Chapter 1
INTRODUCTION TO APPLICATION SECURITY
Master application security essentials—CVEs, CWEs, OWASP Top 10. Elevate your
Node.js skills, fortify defenses, and navigate the security landscape.
Chapter 2
COMMAND INJECTION
Explore command injection vulnerabilities' landscape, types, and real-world
impact. Classify vulnerabilities, detect insecure code patterns, and fortify
applications
Chapter 3
MITIGATING ARGUMENT INJECTION IN NODE.JS APPLICATIONS
Secure Node.js Apps: Lessons from Command Injection Vulnerabilities. Learn key
strategies to avoid OS injection risks, optimize code, and safeguard against
argument injection attacks
Chapter 4
FORTIFYING NODE.JS APPLICATIONS AGAINST COMMAND INJECTION THREATS
Mastering Node.js Security: Advanced Defense Against Command Injection. Learn
crucial tactics beyond basics—robust input validation, nuanced security
controls, and insights from real-world vulnerabilities. Elevate your Node.js
applications' security posture.
Chapter 5
HARDENING NODE.JS AGAINST COMMAND INJECTION: INSIGHTS FROM VULNERABLE NPM
PACKAGE
Securing Node.js Projects: Unraveling Git-Promise Vulnerability. Delve into
input validation nuances, persistence of vulnerabilities post-fix, and project
popularity impact. Equip yourself with insights to fortify Node.js projects
against evolving security landscapes
Chapter 6
NAVIGATING COMMAND INJECTION PITFALLS IN VULNERABLE NPM PACKAGE: A TECHNICAL
DEEP DIVE
Mastering Secure Integration: Lessons from ImageMagick Vulnerability. Explore
pitfalls of exec() API, balance convenience with security, and adopt secure
alternatives. Navigate Node.js security with confidence
Chapter 7
DEFENDING AGAINST COMMAND INJECTION: LESSONS FROM A STRAPI VULNERABILITY
Securing Strapi: Navigating Command Injection Risks. Uncover vital insights from
a CVE vulnerability, emphasizing input sanitization, secure APIs, and cautious
handling of user input. A practical guide for fortifying applications against
command injection threats
Chapter 8
CLI SECURITY: LEVERAGING GITHUB AS AN ATTACK VEHICLE AGAINST VULNERABLE CLIS
Command-Line Insecurity: Demystifying CLI Vulnerabilities. Delve into the 2018
discovery, debunking myths around CLI security. Uncover GitHub as an attack
vector, highlighting the deceptive nature of data sources. Developers gain
insights into robust input validation for fortified application security
Chapter 9
MASTERING SECURE COMMAND EXECUTION IN NODE.JS
Node.js Command Injection Defense: Mastering child_process APIs and Secure
Coding. Navigate secure execution with insights on API choices, escaping
strategies, and npm run-scripts. Equip yourself to proactively prevent
vulnerabilities for robust Node.js application security
Chapter 10
DEEPENING YOUR COMMAND INJECTION DEFENSES
Mastering Command Injection Defenses: Test Your Knowledge, Real-world Examples,
and CVE References. Elevate your understanding with quizzes, real-world
insights, and a comprehensive CVE reference list. Equip yourself to fortify
command injection defenses and communicate security priorities effectively
PREVENT PATH TRAVERSAL IN NODE.JS
SECURITY EDUCATION MODULES IN THE BOOK
Chapter 1
SECURITY FOUNDATIONS FOR NODE.JS DEVELOPMENT
An introductory chapter unfolds core security concepts and terminology for
developers. Master CVE, CWE, OWASP Top 10, and other security-lingo terms in
modern software development.
Chapter 2
NAVIGATING PATH TRAVERSAL HAZARDS IN NODE.JS APPLICATIONS
Journey through path traversal intricacies. Mitigate risks in Node.js apps.
Secure coding guide for JavaScript developers building server-side applications
.
Chapter 3
DECODING PATH JOIN: NAVIGATING SECURITY PITFALLS IN NODE.JS
Decode path traversal nuances. Expose insecure coding practices. Learn
vulnerable code patterns and embrace insights for robust, secure Node.js coding.
Chapter 4
UNVEILING NUANCES: BEYOND THE ../ STRING IN NODE.JS PATH TRAVERSAL
Explore path and directory traversal subtleties. Decode percent-encoding
pitfalls. Adopt high-precision secure coding best practices when dealing with
core Node.js filesystem APIs for optimal Node.js security.
Chapter 5
MASTERING SECURITY: NAVIGATING NUANCES BEYOND CLASSIC PATH TRAVERSAL IN NODE.JS
Unearth secure coding lessons. Explore adjacent paths and logic checks. A beacon
for Node.js developers that seek security controls and writing production-grade
code.
Chapter 6
UNVEILING VULNERABILITIES: THE ANATOMY OF SIMPLE CODE'S IMPACT ON SECURITY
Dissect quickly written code implementations that result in secure coding errors
and learn to avoid core Node.js API pitfalls.
Chapter 7
NAVIGATING THE MAZE: PATH TRAVERSAL VULNERABILITIES IN HTTP SERVER NPM DEVTOOLS
Analyze directory traversal bugs. GitHub repository insights and lessons from
oversights in CLI configuration that go from logic error to security
vulnerabilities risking development environments.
Chapter 8
A DEEP DIVE INTO SECURITY OVERSIGHTS IN A FILE SERVER NPM DEVTOOL
Explore npm package devtools that introduce security risks for developers.
Insights into secure coding intricacies unfolding in CLIs that do not implement
security controls.
Chapter 9
PATH TRAVERSAL BEYOND DENY-LISTS AND OPERATING SYSTEM SUPPORT
Wake up call on deny-lists. Cross-platform compatibility insights. Layers for
comprehensive security and understand how overlooked bad practices end up a
security implication.
Chapter 10
OFFENSIVE SECURITY: AUTOMATION, EXPLOITATION, AND NODE.JS VIGILANCE
Employ tactical offensive security tools to learn how hackers automate path
traversal exploits. In this chapter we highlight Node.js runtime vulnerabilities
and required vigilance for your production apps.
Chapter 11
MASTERING THE CRAFT: SECURE CODING STRATEGIES TO PREVENT PATH TRAVERSAL IN
NODE.JS
Meticulous guide for secure coding, demonstrating hands-on and best practices
advice for Node.js developers. Adopt symbiotic coding and testing for robust
defenses.
MASTER NODE.JS SECURITY THROUGH HANDS-ON LEARNING AND BEST PRACTICES
Comprehensive learning path
Whether you're a beginner or an experienced JavaScript developer, this Node.js
Secure Coding book takes a comprehensive approach to security. From basic
terminology to introduction to Command Injection, you'll learn about assorted
patterns of insecure code observed in popular and well-known npm packages.
Hands-on learning
Unlike other security books that rely on theoretical examples, this book is
based on real-world vulnerable code found in popular npm packages. You'll get
hands-on experience reviewing and fixing security issues in these projects,
learning practical security skills and Node.js secure coding best practices.
Best practices and practical takeaways
Each chapter ends with a summary of the lessons learned, highlighting best
practices for securing your Node.js code and improving your overall security
knowledge of Command Injection vulnerabilities.
Congratulations!
You've leveled up your security skills!
Liran is a tireless advocate for security in the JS ecosystem. He works hard to
build bridges, educate developers about security issues, and support Open Source
projects working to improve their security posture. Liran has served on the Node
security team and is always available to support developers!
BY THE OPENJS FOUNDATION
HANDS-ON
NODE.JS SECURITY
Master secure coding in Node.js with real-world vulnerable npm dependencies and
experience secure coding and offensive security hacking first-hand
NODE.JS SECURE CODING: DEFENDING AGAINST COMMAND INJECTION VULNERABILITIES
Explore the book
NODE.JS SECURE CODING: PREVENTION AND EXPLOITATION OF PATH TRAVERSAL
VULNERABILITIES
Explore the book
Liran Tal
* Award-winning security champion, open source advocate, and self-published
author.
* GitHub Star 2023
* Pathfinder Award for Security
Published Author
* Command Injection
* Path Traversal
* Code Injection
* Essential Node.js Security
* O'Reilly Serverless Security
* Web Security: Learning HTTP Security Headers
Blog latest articles
* Understanding and Preventing Prototype Pollution in Node.js
* How to protect against a security breach in React Server Components
* IDOR Vulnerability: What is it and how to prevent it?
* The security vulnerability of serving images via a route as opposed to static
middleware in Node.js
* Why is it considered a bad practice to write raw SQL commands?
*
*
*
*
*
© 2024 Liran Tal