Netsparker adds IAST support for Node.js

Zbigniew Banach - Tue, 09 Nov 2021 -

Netsparker continues to expand its IAST capabilities, now adding a Node.js agent to deliver additional insights when scanning modern JavaScript applications. Learn more about where Node.js is used and what additional information the DAST+IAST approach can bring to vulnerability scanning and remediation in Node.js applications.

Your Information will be kept private.

Netsparker adds IAST support for Node.js

What is Node.js and why is it important?

JavaScript started life as a language for running client-side scripts inside a web browser. Created in 2009 by Ryan Dahl, Node.js is a JavaScript runtime environment that makes it possible to execute server-side scripts outside a web browser using the standalone V8 engine. Thanks to Node.js, JavaScript is no longer limited to client-side scripting and can be used to develop full-fledged server-side applications. 

The ability to use JavaScript on the back end as well as the front end has led to an explosion of JavaScript frameworks that rely on Node.js for high-performance server-side processing and then build an entire application stack on top of it. Traditional web applications were forced to use different technologies on the server and client sides, but Node.js has made full-stack JavaScript development possible. Combined with the move to more granular and dynamic application architectures, this has enabled rapid development and innovation, though at the cost of growing complexity and opacity.

Why some of the world’s biggest websites use Node.js

While Node.js might not seem a big deal when looking purely at the number of active sites that use it (currently about 1.5% of all websites), over half of all web developers use it. Because the Node.js runtime is heavily optimized for performance, it is the back-end technology of choice for some of the world’s highest-traffic sites, including Netflix, eBay, Uber, and many others. See this post for more Node.js stats, for example that migrating from Java to Node.js can not only bring massive performance gains but also boost productivity and reduce costs.

Node.js enables high-performance microservice deployments for full-stack JavaScript applications and mobile application back-ends. In fact, without the scalability and performance of Node.js, we wouldn’t have many of the real-time mobile applications we’ve come to rely on. Due to its small footprint, high performance, and ease of development, it is also widely used in IoT applications.

Simply put, wherever you have JavaScript on the server, you have Node.js.

Getting to the core of application security with DAST+IAST

With its advanced approach to dynamic application security testing (DAST), Netsparker has long provided the ability to accurately scan JavaScript-heavy websites and applications for vulnerabilities, including full-stack JavaScript apps. This is possible because the scanner includes a full embedded browser engine to render sites exactly as users (and attackers) will see them. It can then test all possible attack surfaces, including elements and values that don’t appear in responses sent to and from the site because they are generated or manipulated dynamically.

Depending on the specific frameworks and libraries, debugging a Node.js application can get very tricky. When you have 4 or 5 intermediate layers between the browser and the server, finding the root cause and location of a bug can be a daunting task – and that includes security defects. While a modern DAST such as Netsparker will find and report security vulnerabilities in the resulting application and even automatically confirm many of them, figuring out the call chain and URL routing to get to a specific JavaScript source file can still be a daunting task.

This is where Invicti’s DAST-driven true IAST approach can help by providing inside information on how security checks and test payloads are processed. A technology-specific IAST agent deployed in the application environment attaches to the runtime during dynamic testing and continuously communicates with the core vulnerability scanner, delivering server-side insights that would normally be inaccessible during a DAST-only scan. For Netsparker, supported server-side technologies include PHP, .NET, Java – and now also Node.js.

New Node.js agent for Netsparker Shark

To get additional details about vulnerabilities found in Node.js applications, you can now deploy a dedicated IAST agent in your Node.js application environment. This is as simple as copying the agent file to your server machine and launching it together with the application you will be testing. Once deployed, the agent will provide the main DAST scanner with extra information about application behavior during vulnerability testing.

Armed with additional IAST insights delivered in vulnerability reports, developers can isolate the location and root causes of security defects more quickly. For example, a DAST+IAST report for an SQL injection vulnerability will indicate not only the file and line of code but also the actual SQL query that was executed during testing. Combined with technical details of the vulnerability and remediation guidance, this helps developers understand why the test attack was possible and how to correctly fix the vulnerability.

All this extra information greatly reduces the time to fix, especially since the majority of direct-impact vulnerabilities are automatically confirmed with Proof-Based Scanning, cutting out the time required to verify issues and rule out false positives. Considering the complexity of full-stack JavaScript applications, the extra clarity provided by IAST for Node.js can help web developers work more efficiently and focus on high-value tasks.

For more information on deploying the IAST agent for Node.js in your scan environment, please see the Netsparker support page.

Your Information will be kept private.

Zbigniew Banach

About the Author

Zbigniew Banach

Technical Content Writer at Invicti. Drawing on his experience as an IT journalist and technical translator, he does his best to bring web security to a wider audience on the Netsparker blog and website.