If you ever find Server Side Request Forgery (SSRF) in a node.js based application and the app is using the request module you can use a special url format to detect the existence of files / directories.

While request does not support the file:// scheme it does supports a special url format to communicate with unix domain sockets and the errors returned from a file existing vs not existing are different.

The format looks like this. http://unix:SOCKET:PATH and for our purposes we can ignore PATH all together.

Let’s take this code for example. …


I’ve learned a long time ago that not all security research pans out with a stack of vulnerabilities but every time I venture down a rabbit hole I learn something along the way. This is one of those times.

During a recent assessment ^Lift team member Jon Lamendola found an access_token on a url for a project dependency and that got us thinking:

wonder if any npm dependencies are using urls that contain tokens or passwords.

That was enough to nerd snipe an hour of my time as I answered his question and found a few more to answer along…


The Node Security team is excited to announce version 3.0.0 of the nsp CLI tool.

Get it by running npm i nsp@next

This release marks the 3rd major iteration of the CLI. While the changes mentioned below may seem minor the entire CLI was re-written from the ground up by Nathan LaFreniere with the goal of cleaning the code up to the point that will let us implement some amazing features we have planned for Node Security.

Here are some of the notable changes.

Node 6.x and beyond

We are dropping support for Node version below 6.x. If you haven’t upgraded, stop dragging your…


Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers are welcoming pull requests. I’m writing to ask the community for some help. If you have the time available or your company supports contributions to open source please consider helping fix these issues.

Below you will find a list of these currently public and unfixed vulnerabilities, sorted by npm monthly download count. While some of these issues may be unlikely to face actual exploitation given the typical…


Before you read this post please run git --version and if it’s not 2.14.1 or greater then please go upgrade it.

In this post we are going to explore abusing the recently published git ssh:// url vulnerability inside of a package.json to execute commands during the npm install process.

How the vulnerability works:
The git vulnerability results from a malformed ssh:// url beginning with a dash (-), confusing the ssh command into thinking the hostname is a command argument rather than a hostname.

Take this proof of concept example. It injects the -V argument and exits.

git clone ssh://-V/github.com
Cloning…


The Practical Developer #DevDiscuss tonight got me thinking about mentorship and how it’s impacted my life. It doesn’t fit in a tweet or a thread of tweets so you get the story about how a mentorship gave me my entire career in security. This is going to be a bit stream of mind so give me a break on grammar and spelling :)

I was raised in a small farming town in Minnesota. There wasn’t a lot to do and naturally children would grow up to inherit the farm. When I was 8 I got a computer, learned basic by…


As a startup, where might your organization get the biggest bang for your buck when it comes to security?

Consider this controversial thought:

Your founders — CEOs, CTOs — are very likely your organization’s greatest security risk.

There are few things that better predict an organization’s likelihood of a massive security breach than founders’ knowledge, priorities, and willingness to put in the effort to grasp the fundamentals of security.

In a way, most software vulnerabilities can be traced up the chain of authority. Founders make decisions every step of the way that will shape your future security posture. The security of your future depends on the choices you make today.

It seems like every…


Today marks the 4th birthday of the Node Security Project. During that time we accomplished a lot, failed more than a few times, and inspired many developers to make security an important part of their discipline. The conversations that I’ve been able to have with many of you at conferences about things you’ve learned or bugs you’ve found are some of my favorite memories.

To celebrate I wanted to highlight some of the achievements along the way.

  • Released nsp, the first CLI tool to check for known vulnerabilities, which has had 2,772,324 downloads
  • david-dm.org was the first third-party site to…


Earlier this week Zach Grace published an article on one way that you could backdoor a Node.js Express application without touching disk. This jogged my memory of something I posted in our team’s chat this last week but never wrote about; how I would in memory backdoor an express application. It’s a bit different than how Zach approached it so I thought it would be good to expand upon his post sharing the knowledge.

My “vulnerable” proof of concept is below. It uses a fairly common pattern of putting routes in a separate file. …


Just before the New Years I published 140+ advisories on Node.js modules. I’ve been researching ways to compromise developers & node.js applications without compromising the npm registry or their CDN.

To start, I looked for modules with install hooks that downloaded and executed or used resources from the internet over HTTP, an insecure medium that’s susceptible to interception and manipulation, also known as a man-in-the-middle attack.

What is Man-In-The-Middle (MITM)?

Man-in-the-Middle is a type of attack in which the attacker is able to put themselves between two parties and intercept and influence the traffic between the two parties.

Normal Traffic Flow

Adam Baldwin

VP of Security at npm. Previously founded @liftsecurity, Founder @nodesecurity acquired by npm, inc

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store