Course 39 - NodeJS Security Pentesting and Exploitation | Episode 1: From V8 Fundamentals to Namespace and Parameter Pollution
In this lesson, you’ll learn about: Node.js runtime architecture, single-threaded execution risks, global scope vulnerabilities, and HTTP Parameter Pollution (HPP)1. What is Node.js?🔹 Definition: A JavaScript runtime built on:
Node.js
Chrome V8 engine
🔹 Purpose:
Run JavaScript outside the browser
Build scalable server-side applications
👉 Key Insight Node.js is not a framework—it’s a runtime environment2. Node.js Architecture🔹 Core model:
Single-threaded
Event-driven
Non-blocking I/O
🔹 How it works:
One main event loop handles all requests
Async tasks delegated to system threads
👉 Key Insight It scales well—but one bad crash can affect everything3. Single-Threaded Risk🔹 Problem:
One runtime thread handles all requests
🔹 What can go wrong:
Uncaught exception → entire server stops
Memory leak → whole app affected
👉 Key Insight Scalability comes with system-wide fragility4. Global Namespace Pollution🔹 Definition:
Variables declared globally in Node.js are shared across requests
🔹 Risk in Express.js:
Data leakage between users
Shared state corruption
🔹 Example risk:
One user modifies a global variable affecting all users
👉 Key Insight Global state in server apps = security vulnerability5. Why Global Variables Are Dangerous🔹 Issues:
No request isolation
Cross-session data exposure
Hard-to-debug behavior
👉 Key Insight Server logic must be stateless by design6. HTTP Parameter Pollution (HPP)🔹 Definition:
Sending multiple values for the same parameter
Example:?id=1&id=2 🔹 Node.js behavior:
Captures all values as an array
👉 Key Insight Unlike some frameworks, Node.js does not automatically collapse parameters7. Why HPP Becomes a Security Issue🔹 Risks:
Bypass filters
Confuse validation logic
Manipulate backend decisions
🔹 Example:
WAF expects single value but receives array
👉 Key Insight Ambiguous input = exploitable behavior8. Comparison With Other Systems🔹 Some frameworks:
Course 39 - NodeJS Security Pentesting and Exploitation | Episode 1: From V8 Fundamentals to Namespace and Parameter Pollution
In this lesson, you’ll learn about: Node.js runtime architecture, single-threaded execution risks, global scope vulnerabilities, and HTTP Parameter Pollution (HPP)1. What is Node.js?🔹 Definition: A JavaScript runtime built on:
Node.js
Chrome V8 engine
🔹 Purpose:
Run JavaScript outside the browser
Build scalable server-side applications
👉 Key Insight Node.js is not a framework—it’s a runtime environment2. Node.js Architecture🔹 Core model:
Single-threaded
Event-driven
Non-blocking I/O
🔹 How it works:
One main event loop handles all requests
Async tasks delegated to system threads
👉 Key Insight It scales well—but one bad crash can affect everything3. Single-Threaded Risk🔹 Problem:
One runtime thread handles all requests
🔹 What can go wrong:
Uncaught exception → entire server stops
Memory leak → whole app affected
👉 Key Insight Scalability comes with system-wide fragility4. Global Namespace Pollution🔹 Definition:
Variables declared globally in Node.js are shared across requests
🔹 Risk in Express.js:
Data leakage between users
Shared state corruption
🔹 Example risk:
One user modifies a global variable affecting all users
👉 Key Insight Global state in server apps = security vulnerability5. Why Global Variables Are Dangerous🔹 Issues:
No request isolation
Cross-session data exposure
Hard-to-debug behavior
👉 Key Insight Server logic must be stateless by design6. HTTP Parameter Pollution (HPP)🔹 Definition:
Sending multiple values for the same parameter
Example:?id=1&id=2 🔹 Node.js behavior:
Captures all values as an array
👉 Key Insight Unlike some frameworks, Node.js does not automatically collapse parameters7. Why HPP Becomes a Security Issue🔹 Risks:
Bypass filters
Confuse validation logic
Manipulate backend decisions
🔹 Example:
WAF expects single value but receives array
👉 Key Insight Ambiguous input = exploitable behavior8. Comparison With Other Systems🔹 Some frameworks: