Websockets, socket.io, nodejs, and security
https://stackoverflow.com/questions/6362585
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I am working on a real-time analytics application and am using websockets (through the socket.io library) along with nodejs. There will be no "sensitive" data being sent through the websockets (like names, addresses, etc). It will be only used to track visits and to track the total visitors (along with the number of visitors on the top 10 most visited URLs).
Are there any security issues that I should be aware of? Am I opening myself up to:
- DoS attacks?
- XSS attacks?
- Additional security holes that could be used to gain access to the webserver/webserver's LAN?
- Anything else I didn't mention here?
Thanks!
Solução
1. DoS attacks?
You are opening yourself up against DoS attacks and if they are done properly there is almost nothing you can do against this kind of attacks.
2. XSS attacks?
If you don't filter you are vulnerable to XSS attacks. I believe you could protect yourself against this using something looking like this:
/**
* Escape the given string of `html`.
*
* @param {String} html
* @return {String}
* @api private
*/
function escape(html){
return String(html)
.replace(/&(?!\w+;)/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"');
}
3. Additional security holes that could be used to gain access to the webserver/webserver's LAN?
You should protect yourself against LAN attacks using a firewall?
4. Anything else I didn't mention here?
- If you are sending sensitive information you should sent it over SSL at least. You should also come up with some sort of authentication scheme...
- Maybe you could be vulnerable to session fixation?
