Invicti adds IAST support for Node.js

Invicti continues to expand its IAST capabilities, now adding a Node.js agent to deliver additional insights when scanning modern JavaScript applications. Learn more about where Node.js is used and what additional information the DAST+IAST approach can bring to vulnerability scanning and remediation in Node.js applications.

Invicti adds IAST support for Node.js

What is Node.js and why is it important?

JavaScript started life as a language for running client-side scripts inside a web browser. Created in 2009 by Ryan Dahl, Node.js is a JavaScript runtime environment that makes it possible to execute server-side scripts outside a web browser using the standalone V8 engine. Thanks to Node.js, JavaScript is no longer limited to client-side scripting and can be used to develop full-fledged server-side applications. 

The ability to use JavaScript on the back end as well as the front end has led to an explosion of JavaScript frameworks that rely on Node.js for high-performance server-side processing and then build an entire application stack on top of it. Traditional web applications were forced to use different technologies on the server and client sides, but Node.js has made full-stack JavaScript development possible. Combined with the move to more granular and dynamic application architectures, this has enabled rapid development and innovation, though at the cost of growing complexity and opacity.

Why some of the world’s biggest websites use Node.js

While Node.js might not seem a big deal when looking purely at the number of active sites that use it (currently about 1.5% of all websites), over half of all web developers use it. Because the Node.js runtime is heavily optimized for performance, it is the back-end technology of choice for some of the world’s highest-traffic sites, including Netflix, eBay, Uber, and many others. See this post for more Node.js stats, for example that migrating from Java to Node.js can not only bring massive performance gains but also boost productivity and reduce costs.

Node.js enables high-performance microservice deployments for full-stack JavaScript applications and mobile application back-ends. In fact, without the scalability and performance of Node.js, we wouldn’t have many of the real-time mobile applications we’ve come to rely on. Due to its small footprint, high performance, and ease of development, it is also widely used in IoT applications.

Simply put, wherever you have JavaScript on the server, you have Node.js.

Getting to the core of application security with DAST+IAST

With its advanced approach to dynamic application security testing (DAST), Invicti has long provided the ability to accurately scan JavaScript-heavy websites and applications for vulnerabilities, including full-stack JavaScript apps. This is possible because the scanner includes a full embedded browser engine to render sites exactly as users (and attackers) will see them. It can then test all possible attack surfaces, including elements and values that don’t appear in responses sent to and from the site because they are generated or manipulated dynamically.

Depending on the specific frameworks and libraries, debugging a Node.js application can get very tricky. When you have 4 or 5 intermediate layers between the browser and the server, finding the root cause and location of a bug can be a daunting task – and that includes security defects. While a modern DAST such as Invicti will find and report security vulnerabilities in the resulting application and even automatically confirm many of them, figuring out the call chain and URL routing to get to a specific JavaScript source file can still be a daunting task.

This is where Invicti’s DAST and IAST approach can help by providing inside information on how security checks and test payloads are processed. A technology-specific IAST agent deployed in the application environment attaches to the runtime during dynamic testing and continuously communicates with the core vulnerability scanner, delivering server-side insights that would normally be inaccessible during a DAST-only scan. For Invicti, supported server-side technologies include PHP, .NET, Java – and now also Node.js.

New Node.js agent for Invicti IAST

To get additional details about vulnerabilities found in Node.js applications, you can now deploy a dedicated IAST agent in your Node.js application environment. This is as simple as copying the agent file to your server machine and launching it together with the application you will be testing. Once deployed, the agent will provide the main DAST scanner with extra information about application behavior during vulnerability testing.

Armed with additional IAST insights delivered in vulnerability reports, developers can isolate the location and root causes of security defects more quickly. For example, a DAST+IAST report for an SQL injection vulnerability will indicate not only the file and line of code but also the actual SQL query that was executed during testing. Combined with technical details of the vulnerability and remediation guidance, this helps developers understand why the test attack was possible and how to correctly fix the vulnerability.

All this extra information greatly reduces the time to fix, especially since the majority of direct-impact vulnerabilities are automatically confirmed with Proof-Based Scanning, cutting out the time required to verify issues and rule out false positives. Considering the complexity of full-stack JavaScript applications, the extra clarity provided by IAST for Node.js can help web developers work more efficiently and focus on high-value tasks.

For more information on deploying the IAST agent for Node.js in your scan environment, please see the Invicti support page.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.