OWasp NodeJS Security Cheat Sheet

Question 1

Use Flat Promise Chains

What problem does excessive nesting in asynchronous callbacks cause?

Answer 1

It leads to a “Pyramid of Doom” or “Callback Hell,” making code harder to maintain and track errors or results.

Question 2

Use Flat Promise Chains

How do Promises help avoid “Callback Hell”?

Answer 2

Promises provide a top-down execution flow and automatically skip to the first .catch function when an error occurs, simplifying error handling.

Question 3

Use Flat Promise Chains

What approach should be used to further reduce complexity in Promises?

Answer 3

Use flat Promise chains to maintain readability and avoid nested structures.

Question 4

Use Flat Promise Chains

How can nested callbacks be rewritten using a flat Promise chain?

Answer 4

Example:

```javascript
func1(“input1”)
.then(result => func2(“input2”))
.then(result => func3(“input3”))
.then(result => func4(“input4”))
.catch(error => {
// error handling
});
~~~

Question 5

Use Flat Promise Chains

How can nested callbacks be avoided using async/await?

Answer 5

Example:

```javascript
(async () => {
try {
const res1 = await func1(“input1”);
const res2 = await func2(“input2”);
const res3 = await func3(“input3”);
const res4 = await func4(“input4”);
} catch (err) {
// error handling
}
})();
~~~

Question 6

Best Practices

What are best practices for using Promises?

Answer 6

Use Promises for asynchronous code instead of deeply nested callbacks.

Convert non-Promise-based modules using Promise.promisifyAll() if needed.
Use async/await for further simplification and readability.

Question 7

Set Request Size Limits

Why should request size limits be set?

Answer 7

Without limits, attackers can send large request bodies, exhausting server memory or disk space.

Question 8

Set Request Size Limits

How can request size limits be set for all requests?

Answer 8

Using the raw-body package in Express with a specified limit:

```javascript
getRawBody(req, { length: req.headers[‘content-length’], limit: ‘1kb’ }, callback);
~~~

Question 9

Set Request Size Limits

Why should limits differ by content type?

Answer 9

JSON payloads are blocking operations and riskier than multipart inputs; setting appropriate limits per type prevents performance issues.

Question 10

Set Request Size Limits

How can Express middleware enforce content-specific limits?

Answer 10

Example:

```javascript
app.use(express.urlencoded({ extended: true, limit: ‘1kb’ }));
app.use(express.json({ limit: ‘1kb’ }));
~~~

Question 11

Set Request Size Limits

How should Content-Type headers be handled to prevent bypassing limits?

Answer 11

Validate request data against the stated Content-Type header and prioritize checking large requests or specific types.

Question 12

Do Not Block the Event Loop

What architecture does Node.js use?

Answer 12

A single-thread, non-blocking, event-driven architecture.

Question 13

Do Not Block the Event Loop

What happens during CPU-intensive JavaScript operations?

Answer 13

The event loop becomes blocked, waiting for the operation to finish.

Question 14

Do Not Block the Event Loop

Why are asynchronous operations important in Node.js?

Answer 14

They allow the main application to remain unblocked, improving performance.

Question 15

Avoiding Race Conditions

What issue arises when synchronous code depends on asynchronous callbacks?

Answer 15

Race conditions, where operations may execute out of order, leading to potential errors or security issues.

Question 16

Avoiding Race Conditions

How can race conditions be avoided?

Answer 16

Ensure dependent operations are written within the same callback or non-blocking function:

```javascript
fs.readFile(‘/file.txt’, (err, data) => {
// perform actions
fs.unlink(‘/file.txt’, (err) => { if (err) throw err; });
});
~~~

Question 17

Input Validation

Why is input validation essential for application security?

Answer 17

To prevent various attacks like SQL Injection, XSS, Command Injection, Denial of Service, Directory Traversal, and more.

Question 18

Input Validation

What is the best input validation technique?

Answer 18

Use an allow-list of accepted inputs.

Question 19

Input Validation

What should be done if an allow-list cannot be used?

Answer 19

Validate inputs against expected schemes and escape dangerous inputs.

Question 20

Input Validation

Which Node.js modules simplify input validation?

Answer 20

validator and express-mongo-sanitize.

Question 21

Input Validation

Why is JavaScript parsing of URLs a challenge for input validation?

Answer 21

The dynamic nature of JavaScript allows query strings to take on various forms, which can lead to inconsistencies.

Question 22

Output Escaping

Why is output escaping important?

Answer 22

To prevent Cross-Site Scripting (XSS) attacks by sanitizing HTML and JavaScript content shown to users.

Question 23

Output Escaping

Which libraries can be used for output escaping in Node.js?

Answer 23

escape-html and node-esapi.

Question 24

Activity Logging

Why is logging application activity a good practice?

Answer 24

It aids in debugging, enhances security through incident response, and supports IDS/IPS tools.

Question 25

# Activity Logging Which Node.js modules can be used for logging?

Answer 25

Winston, Bunyan, and Pino.

Question 26

# Activity Logging How can you log activities to both console and a file?

Answer 26

Example: ```javascript const logger = new (Winston.Logger)({ transports: [ new (winston.transports.Console)(), new (winston.transports.File)({ filename: 'application.log' }) ], level: 'verbose' }); ```

Question 27

# Activity Logging How can errors and general logs be separated?

Answer 27

Configure different transports to save errors in one log file and general logs in another.

Question 28

# Monitor the Event Loop What type of attack can overwhelm the event loop?

Answer 28

A Denial of Service (DoS) attack, caused by heavy network traffic.

Question 29

# Monitor the Event Loop How does the toobusy-js module help during heavy traffic?

Answer 29

It monitors response times and sends a 503 'Server Too Busy' message when the server is under load. ## Footnote Example of toobusy-js usage in Express: ```javascript app.use(function(req, res, next) { if (toobusy()) { res.status(503).send('Server Too Busy'); } else { next(); } }); ```

Question 30

# Take Precautions Against Brute-Forcing Why are brute-forcing attacks common?

Answer 30

Attackers use brute-forcing to guess passwords or other sensitive information, especially on login pages.

Question 31

# Take Precautions Against Brute-Forcing Which Node.js modules help defend against brute-forcing?

Answer 31

express-bouncer, express-brute, and rate-limiter.

Question 32

# Take Precautions Against Brute-Forcing How does a CAPTCHA help against brute-forcing?

Answer 32

It requires solving a challenge before proceeding, slowing down automated attacks. ## Footnote Example: ```javascript const svgCaptcha = require('svg-captcha'); app.get('/captcha', function (req, res) { const captcha = svgCaptcha.create(); req.session.captcha = captcha.text; res.type('svg'); res.status(200).send(captcha.data); }); ```

Question 33

# Take Precautions Against Brute-Forcing What is an account lockout?

Answer 33

A mechanism that locks an account after multiple failed login attempts, preventing further brute-force attempts.

Question 34

# Use Anti-CSRF Tokens What is Cross-Site Request Forgery (CSRF)?

Answer 34

An attack where an authenticated user unknowingly performs actions on behalf of an attacker.

Question 35

# Use Anti-CSRF Tokens Why is csurf no longer recommended?

Answer 35

It has a known security vulnerability and has been deprecated. Consider alternative CSRF protection packages.

Question 36

# Remove Unnecessary Routes Why should unused API routes be disabled?

Answer 36

They increase the application's attack surface and may lead to issues like information leakage or command execution.

Question 37

# Remove Unnecessary Routes Which frameworks automatically generate routes that may need removal?

Answer 37

Frameworks like Sails and Feathers.

Question 38

# Prevent HTTP Parameter Pollution (HPP) What is HTTP Parameter Pollution?

Answer 38

An attack where multiple HTTP parameters with the same name are sent, causing unpredictable application behavior.

Question 39

# Prevent HTTP Parameter Pollution (HPP) How can HPP be mitigated in Express?

Answer 39

Use the hpp module to ensure only the last parameter value is processed: ## Footnote Example: ```javascript const hpp = require('hpp'); app.use(hpp()); ```

Question 40

# Only Return What Is Necessary Why should applications limit the data returned in responses?

Answer 40

To avoid personal information disclosure, such as returning sensitive fields like email addresses or social security numbers.

Question 41

# Use Object Property Descriptors What are the three hidden attributes of object properties?

Answer 41

writable: Determines if the property value can be changed. enumerable: Specifies if the property can be used in for-loops. configurable: Indicates if the property can be deleted.

Question 42

# Use Object Property Descriptors How can you define object property attributes?

Answer 42

Use Object.defineProperty(): ```javascript Object.defineProperty(o, "a", { writable: true, enumerable: true, configurable: true, value: "A" }); ```

Question 43

# Use Object Property Descriptors What does Object.preventExtensions() do?

Answer 43

It prevents new properties from being added to an object.

Question 44

# Use Access Control Lists (ACL) How can ACLs enforce authorization in Node.js applications?

Answer 44

By defining roles and assigning users to those roles using modules like acl.

Question 45

# Error and Exception Handling How should uncaughtException events be handled?

Answer 45

Bind to the uncaughtException event to log error details, clean up resources, and terminate the process: ```javascript process.on("uncaughtException", function(err) { // cleanup and logging process.exit(); // avoid unknown state }); ```

Question 46

# Error and Exception Handling What happens if errors are unhandled in an EventEmitter?

Answer 46

They become uncaught exceptions, potentially crashing the application. Always attach listeners for error events: ```javascript emitter.on('error', function(err) { // Handle error }); ```

Question 47

# Server Security How should errors in asynchronous calls be handled?

Answer 47

Always propagate the error as the first argument to callbacks or explicitly handle it in express routes.

Question 48

# Server Security How can you improve session cookie security?

Answer 48

Set the following flags: httpOnly: Prevents client-side JavaScript access, mitigating XSS attacks. secure: Ensures cookies are sent only over HTTPS. SameSite: Protects against CSRF attacks by restricting cross-site requests.

Question 49

# Server Security Example of setting cookie flags:

Answer 49

```javascript const session = require('express-session'); app.use(session({ secret: 'your-secret-key', name: 'cookieName', cookie: { secure: true, httpOnly: true, path: '/user', sameSite: true } })); ```

Question 50

# Use Appropriate Security Headers What package helps set HTTP security headers in Express?

Answer 50

The helmet package. ## Footnote Example usage: ```javascript app.use(helmet()); ```

Question 51

# Use Appropriate Security Headers What does the Strict-Transport-Security header do?

Answer 51

Ensures browsers access the application only over HTTPS. ## Footnote Example usage: ```javascript app.use(helmet.hsts({ maxAge: 123456, includeSubDomains: false })); ```

Question 52

# Use Appropriate Security Headers How does X-Frame-Options protect against Clickjacking attacks?

Answer 52

It restricts whether a page can be loaded in or