JavaScript (JS) has taken the software development world by storm. Nearly every modern web application makes extensive use of JavaScript on the front end, however, JavaScript is also extraordinarily popular on the backend with Node.js. With so many dependencies by open source projects making their way into the hands of JS developers, it’s no surprise that new vulnerabilities in popular NPM packages emerge daily. With Node.js applications emerging ever more frequently within the enterprise landscape, it’s hard to ignore the risk of known vulnerabilities and their associated security risks. In JavaScript web applications, security vulnerabilities such as Cross-site Scripting (XSS) are very common. Moreover, some vulnerable dependencies may even allow attackers to launch, SQL Injection attacks or even run malicious code.
Acunetix is a web application security tool which automatically performs a vulnerability assessment of a website or web application together with any server misconfigurations. Acunetix allows you to run security checks for thousands of vulnerabilities quickly and accurately on a regular basis.
Unlike many other web application scanners, Acunetix is very well equipped to scan modern Single Page Applications (SPAs) thanks to its advanced crawler and JavaScript engine, DeepScan. Thanks to DeepScan, Acunetix can understand and fully test applications which rely on JavaScript frameworks like React, Angular, Ember and Vue. This means Acunetix can understand an underpinning RESTful API when crawling a SPA. Since Acunetix doesn’t only understand JSON and XML, it can build a correct input scheme (an internal representation of a web application’s input) which it may then rigorously test for Node.js vulnerabilities.
Customizable scope
When scanning large applications for Node.js related vulnerabilities, it may be desirable to divide the scanning of the application up into smaller segments, or scopes. A typical example of this would be when different development teams would be working on different parts of a large web application with different release cycles, and therefore, different scanning schedule requirements.
Acunetix makes customizing the scope of a web application security vulnerability scan painless. There are several ways to restrict the scope of a scan — you may choose to exclude pages you don’t want to scan manually, or for more advanced users, Acunetix also supports excluding pages based on regular expressions.
Beyond the vulnerability scanning
Another problem that Acunetix solves which many other vulnerability scanners fall short of is the ability to produce great reports. Acunetix can instantly generate a wide variety of other technical and regulatory and compliance reports such as OWASP Top 10, PCI DSS, HIPAA and many others. Additionally, Acunetix also allows users to export discovered vulnerabilities to Issue Trackers such as Atlassian JIRA, GitHub and Microsoft Team Foundation Server (TFS).
With built in Jenkins integration, Acunetix can also easily integrate within existing software development code security and SDLC workflows such as CI/CD pipelines.
Don’t sit idle on web application vulnerabilities in your Node.js applications. Get the information you need with Acunetix. Try Acunetix online or download it now to try it on premises.
Frequently asked questions
Node.js is an open-source platform that lets you run JavaScript code on the back-end. This platform is built on the basis of the Chrome JavaScript runtime. It is not a separate language like PHP and it is not a framework like ASP.NET.
Node.js applications, just like all other web applications, are prone to web vulnerabilities. For example, SQL Injections and Cross-site Scripting vulnerabilities are common in Node.js applications. Therefore, you need to regularly scan Node.js applications to make sure they are safe.
A dynamic scanner like Acunetix does not care what language the application is written in and it does not require any access to the application code. It scans the application from the front-end, discovering any vulnerabilities that have been introduced in the back-end, too.
Learn about the difference between dynamic and static scanning.
Node.js applications are often very complex and include a lot of JavaScript and HTML5 in the front-end. Acunetix is very well fit to scan such applications because its DeepScan engine was designed with such feature-rich applications in mind. Thanks to DeepScan, Acunetix can find more than other dynamic scanners.
Recommended reading
Learn more about prominent vulnerabilities, keep up with recent product updates, and catch the latest news from Acunetix.
“We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.”
Kurt Zanzi, Xerox CA-MMIS Information Securtiy Office, Xerox