Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Websockets, socket.io, nodejs, and security

I am working on a real-time analytics application and am using websockets (through the socket.io library) along with nodejs. There will be no "sensitive" data being sent through the websockets (like names, addresses, etc). It will be only used to track visits and to track the total visitors (along with the number of visitors on the top 10 most visited URLs).

Are there any security issues that I should be aware of? Am I opening myself up to:

  1. DoS attacks?
  2. XSS attacks?
  3. Additional security holes that could be used to gain access to the webserver/webserver's LAN?
  4. Anything else I didn't mention here?

Thanks!

like image 487
Aaron Avatar asked Jun 15 '11 18:06

Aaron


1 Answers

1. DoS attacks?

You are opening yourself up against DoS attacks and if they are done properly there is almost nothing you can do against this kind of attacks.

2. XSS attacks?

If you don't filter you are vulnerable to XSS attacks. I believe you could protect yourself against this using something looking like this:

/**
 * Escape the given string of `html`.
 *
 * @param {String} html
 * @return {String}
 * @api private
 */

function escape(html){
  return String(html)
    .replace(/&(?!\w+;)/g, '&')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;');
}
3. Additional security holes that could be used to gain access to the
webserver/webserver's LAN?

You should protect yourself against LAN attacks using a firewall?

4. Anything else I didn't mention here?

  • If you are sending sensitive information you should sent it over SSL at least. You should also come up with some sort of authentication scheme...
  • Maybe you could be vulnerable to session fixation?
like image 76
Alfred Avatar answered Sep 20 '22 20:09

Alfred