Identify Code Injection Bugs in Your Code
First, you need to learn how to recognize a potential code injection vulnerability. In this section, we’ll discuss how injection vulnerabilities are introduced into code so that you’ll know what you shouldn’t do.
Code injections target applications where the functionality is created and interpreted during runtime based on user input. This makes finding possible attack points straightforward. In Node.js there are two interpreter functions to look out for: eval and Function. With these a developer can create a function out of string input and execute it at will.
The easiest way to avoid code injection attacks is to simply not create and evaluate code using user-submitted data. But using dynamically created ...