Identify Code Injection Bugs in Your Code

First, you need to learn how to recognize a potential code injection vulnerability. In this section, we’ll discuss how injection vulnerabilities are introduced into code so that you’ll know what you shouldn’t do.

Code injections target applications where the functionality is created and interpreted during runtime based on user input. This makes finding possible attack points straightforward. In Node.js there are two interpreter functions to look out for: eval and Function. With these a developer can create a function out of string input and execute it at will.

The easiest way to avoid code injection attacks is to simply not create and evaluate code using user-submitted data. But using dynamically created ...

Get Secure Your Node.js Web Application now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.