25 vulnerabilities to look out for in Node JS applications: Directory traversal, prototype pollution, XSSI, and more…Photo by Greg Rakozy on UnsplashSecuring applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting.Thankfully, most real-life vulnerabilities share the same root causes. And by studying these common vulnerability types, why they happen, and how to spot them, you can learn to prevent them and secure your application.The use of every language, framework, or environment exposes the application to a unique set of vulnerabilities. The first step to fixing vulnerabilities in your application is to know what to look for.Today, let’s take a look at 25 of the most common vulnerabilities that affect Node.js applications, and how you can find and prevent them. The vulnerabilities I will cover in this post are:Prototype pollutionCross-site script inclusion (XSSI)Insecure puppeteer settingsSecurity misconfigurationRemote code execution (RCE)SQL injectionLog injectionMail injectionTemplate injection (SSTI)Regex injectionHeader injectionSession injectionHost header poisoningSensitive data leaks or information leaksAuthentication bypassImproper access controlDirectory traversal or path traversalArbitrary file writesDenial of service attacks (DoS)Encryption vulnerabilitiesMass assignmentOpen redirectsCross-site request forgery (CSRF)Server-side request forgery (SSRF)Trust boundary violationsPrototype PollutionJavaScript is a unique language with many idiosyncrasies. One of these characteristics that set it apart from other mainstream languages is how objects are created in Javascript. Rather than being instantiated from classes, objects in Javascript inherit their properties from an existing object, or a “prototype”.From a security perspective, this means that if an attacker can modify the prototype object and its properties, the prototype object can then affect the properties of all objects created from that prototype. This can lead to anything from cross-site scripting (XSS) attacks in the browser, to remote code execution (RCE) attacks in Node.js applications. Learn how these attacks work and how to prevent them here.Take me back to the top.Cross-Site Script InclusionCross-site script inclusion attacks are also referred to as XSSI. These attacks happen when a malicious site includes Javascript from a victim site to extract sensitive info from the script.The same-origin policy (SOP) usually controls data access cross-origins. But the SOP does not limit javascript code, and the HTML