Consider a Node.js app that directly uses user input in database queries without cleaning it. What is the main security risk?
Think about attacks that manipulate database commands.
Using unsanitized input in database queries can allow attackers to inject malicious SQL commands, known as SQL Injection.
Given a Node.js server that runs eval(userInput), what is the likely security consequence?
Consider what eval() does with arbitrary code strings.
Using eval() on user input allows attackers to run any code on the server, causing remote code execution risks.
Prototype pollution happens when attackers modify object prototypes. Which snippet blocks this?
Check which option blocks dangerous keys before assignment.
Checking for '__proto__' and throwing an error prevents prototype pollution by blocking prototype modification.
Examine the code below:
const http = require('http');
http.createServer((req, res) => {
while(true) {}
res.end('Hello');
}).listen(3000);What is the problem?
const http = require('http'); http.createServer((req, res) => { while(true) {} res.end('Hello'); }).listen(3000);
Think about what an infinite loop does in Node.js single-threaded model.
The infinite loop blocks the event loop, preventing any other requests from being handled, causing denial of service.
Consider this Express.js code:
const express = require('express');
const app = express();
app.use((req, res, next) => {
console.log('First middleware');
// missing next()
});
app.use((req, res, next) => {
console.log('Second middleware');
res.send('Done');
});
app.listen(3000);What happens when a request is made?
const express = require('express'); const app = express(); app.use((req, res, next) => { console.log('First middleware'); // missing next() }); app.use((req, res, next) => { console.log('Second middleware'); res.send('Done'); }); app.listen(3000);
Think about what happens if next() is not called in middleware.
Without calling next(), the request does not proceed to the next middleware, so it hangs and no response is sent.