Black Hat

SOOS @ Black Hat USA 2022
August 9-11 | Booth #IC58

Node JS vs React JS: What’s the Difference?

Every internet user on the planet interacts with web applications built with React and Node JS. Both tools have helped foster the content people view on widescreen televisions, computer monitors, and smartphones. Knowing Node and React’s roles in the web application ecosystem gives developers a leg up in the software marketplace. Understanding the security issues around these popular tools can help a coder avoid disaster.

What Does JS Mean?

React JS vs. Node JS: What does the JS stand for? A file ending with the .js subscript contains JavaScript code. Born in the early 1990s, JavaScript is an interpreted programing language that offers an excellent blend of programming power and ease of use. The language ushered in the era of dynamic web pages and is now a standard building block for every website.

In its early years, JavaScript only handled client duties, the action that takes place in a web browser. The other half of a web application requires communication with a server. For the first two decades of the internet era, deploying a web app required JavaScript for client operations and another language to fetch data to and from the server. Many developers wished that the friendly and powerful JavaScript could also handle backend server duties. In 2009, this hope received an answer: Node.js.

What Is Node.js?

With Node.js, JavaScript took on server functions, making it possible to use a single programming language for web application deployment. Node runs happily in popular operating systems such as Linux, Windows, macOS, and BSD Unix. Node runs code asynchronously; that means that after passing a client’s request to the file system, the runtime environment can move to the next request without waiting for the file system to complete the previous query. Node passes the data back to the client when the host file system returns an answer. This feature simplifies coding and enables responsive performance for end-users.

Node proved explosively popular with developers, and coders leveraged the responsiveness with ever richer web content. Node.js receives aggressive development with nightly interim builds and twice-yearly major updates. Along the way, Node increasingly made it possible for developers to move some tasks out of the browser and onto the server. Not surprisingly, much of Node’s development focuses on speed. Node’s original responsiveness encouraged developers to pile on ever higher amounts of content, necessitating additional rounds of speed improvements.

Node’s release triggered other software advances. Within a year of Node’s introduction, package manager npm was born. Written in JavaScript, npm brought order to the chaotic hierarchy of packages that were the building blocks of web applications. Microsoft later acquired npm’s corporate parent, and the venerable package manager continues as an integral component of every Node installation.

What Is React.js?

In 2011, social media giant Facebook confronted user dissatisfaction with the platform’s inconsistent and often slow performance. In reaction, the company developed a software solution, creatively named React. Two years later, Facebook released React to the free and open-source community. React is a JavaScript library — a collection of code — for creating single-page user interfaces. UIs are the part of an application that users see and touch. React quickly won wide acclaim from developers for its ability to get an application up and running in a short time. Stepping through React’s tutorial demonstrates the framework’s capability.

React folds all of an application’s user interface elements into a tree-like structure known as the virtual document object model. The virtual DOM allows developers to ride herd on many user interface elements. The virtual DOM makes lightning-quick updates, as only changed components receive a redraw. The virtual DOM also makes React applications scalable, as the structure allows developers to add new user interface elements to meet customer demands. React features also include JSX, an extension of JavaScript that includes HTML’s familiar angle-bracketed syntax. The build process converts JSX into JavaScript code before execution.

Two years after React’s open-source release, Facebook debuted React Native, a framework for building applications on Android and Apple’s iOS. Over the ensuing years, React has gained a thriving ecosystem of plug-ins and libraries.

Node JS vs React JS: What’s the Difference?

Node and React are not competitors, and the tools fulfill different missions. Node is a runtime environment: It runs JavaScript code. Conversely, React is a framework: Developers build JavaScript applications on its structure. Many successful web applications employ both tools. Notably, Netflix employs React to build the service’s previewing interface while relying on Node.js for server duties. Whether a developer works for an internet giant like Netflix or a startup, they must achieve one mission to maintain customer loyalty: security.

What Are the Critical Security Steps for React Apps?

While powerful, React is not like a self-driving electric vehicle. Instead, think of the framework as a 1960s muscle car with a four-speed manual transmission and a heavy clutch. Deploying a secure web app with React requires adherence to secure programming practices, a difficult challenge under ship-it-yesterday marketing pressure. As a starting point, freeCodeCamp’s Shachee Swadia outlines some of the best coding practices for React apps.

Understand React’s Threat Model

Applications built with React share the vulnerabilities of all JavaScript apps. The JavaScript threat model leads off with these attack vectors:

  • SQL Injection Attacks: Structured Query Language is the method of choice for extracting information from a web application’s database. A SQL injection attack occurs when an intruder weasels a malicious query into a web app. SQL injection attacks, first discovered more than two decades ago, are still going strong. Cyber-predators scan the web for vulnerable databases, with some cybersecurity experts arguing that nearly every web app in the world has received at least one intrusion probe.
  • Cross-Site Scripting Attacks: With an XSS attack, hackers inject malicious JavaScript into a web application’s client-side. The sky is the limit with an XSS attack; predators may rewrite web pages, access sensitive data stored in cookies, or even install keylogging software.
  • XML External Entity Injection Attacks: An XEE injection attack takes advantage of Extensible Markup Language. XML resembles HTML, a popular format for swapping data between web browsers and servers. XML’s readability makes the language an inviting target for hackers. All web browsers include an XML parser to handle the communication between the browser and the remote server. When hackers inject malicious code into the parser, data stored on the remote server becomes vulnerable.

Begin With Resilient HTML

HTML is the foundation of every web page; that makes this code the starting place for security. Swadia recommends three techniques to deter intrusions:

  • Use Escape Characters: React’s JSX feature automatically escapes and ignores unbound data. Binding data to a variable with curly brackets compels the JSX parser to escape any unbound data. This step ensures that attempts to insert malicious code will fall harmlessly outside of the binding definition. While defining variables with this level of care is undeniably tedious, it’s far more preferable to answering for a security breach.
  • Take Advantage of HTML’s Disabled Attribute: Hackers can work mischief in a web page by giving a user interface element the focus and triggering the component with code. Setting a component’s disabled attribute to “true” thwarts this type of intrusion. Buttons and other user interface elements remain disabled until explicitly enabled inside of a validation code block.
  • Check User-Provided Data: Asking a user to input data is asking for trouble with any web app. Swadia recommends using React’s dangerouslySetInnerHTML property to flag questionable user-provided input. Once identified, functions from the DOMPurify library can strip the malicious code before additional processing.

Perform Basic Authentication

Beyond requiring multi-factor authentication for all users, Swadia advises securing the client-server connection by adding a realm attribute to the app’s domain header. This method is a quick and easy way to limit validated users to the members of a comma-separated list.

Avoid Zip Slip With Proper File Management

The Zip Slip vulnerability permits remote command execution; thus, avoiding this vulnerability is a mission-critical task for developers. Zip files contain compressed data, and that data may well contain malicious code when extracted. Scanning your project with a software composition analysis tool will flag any known libraries containing the exploit, and renaming zip files before extraction is another way to thwart the exploit. Finally, confining all of a React component’s files to a single folder can mitigate the effects of remote command malware.

Parse URLs

By necessity, many applications must link to other URLs. With these apps, avoiding links to URLs laced with malicious JavaScript code is imperative. Since a valid URL must begin with “HTTPS:”, Swadia recommends passing every URL through a shortcode block to check for the correct preface. More comprehensive protection comes from allowlists and blocklists. A blocklist prevents links to any listed URL. Where feasible, allowlists shrink the attack space even further by limiting links to approved sites.

Secure React’s APIs

React must allow connections with other application programming interfaces to create a web application as a user interface framework. Step one is to implement encryption for these connections.

A more comprehensive measure is API schema validation. An API’s schema defines the data structure; this allows coders to reliably exchange data in the correct format between software building blocks. The usual format for this exchange is JavaScript Object Notation, usually shorted to JSON and pronounced like the leader of the legendary Argonauts. JSON’s flexibility makes it simple to pass data and maintain backward compatibility among APIs. Unfortunately, unvalidated JSON strings leave a React application wide open to XSS and SQL injection attacks.

Full-stack JavaScript pros may write custom validation code, but more than a dozen React validation libraries have earned high reviews in the JS community. With the heavy lifting offloaded to a library, a schema validation block takes between eight and 15 lines of code. The coding is a small price to pay when considering the reputation damage from a security breach.

Add a Web Application Firewall

Layered security is the best security. Developers can backstop their diligent code-writing efforts by adding a web application firewall. A firewall acts as a filter for unauthorized transactions. This tool can prevent malicious code from coming in and sensitive data from leaking out. WAFs come in three flavors:

  • Hardware: For an organization with the size to support a 24-7 IT staff, a hardware WAF is an appealing solution. This approach eliminates connection hassles with a remote data center and provides total control of the firewall’s configuration options. With these in-house resources, it’s possible to fine-tune a WAF for the organization’s threat model.
  • Cloud: With smaller developers, a cloud-based WAF eliminates the hefty hardware investment of an in-house data center. Cloud services also offer redundancy, with data stored in multiple data centers. All major cloud service providers offer tiered WAF plans as an add-on, but it pays to shop around. When pricing cloud WAF services, developers should pay close attention to distributed denial-of-service protection. Some plans include DDoS protection as a standard feature, while others charge an add-on fee.
  • Integrated: Medium-sized organizations may consider integrating the WAF into the application itself via a software toolkit. The WAF toolkits offer the configuration options of a hardware firewall without the high overhead. The downside: Integrated software WAFs require some serious in-house cybersecurity talent to make the most of their capabilities.

What Makes SOOS a Web Developer’s Essential Tool?

Security is never an option, whether using Node JS, React, or any other web application deployment. The best security comes when extra security measures are layered into your build. Having a software composition analysis tool that integrates with your existing frameworks and CI/CD pipeline is essential. That tool is SOOS. Able to track nearly 190,000 vulnerabilities, SOOS helps your team focus by highlighting issues in three tiers of severity.

Malicious code isn’t the only hazard for software developers. SOOS also provides you with an up-to-the-minute picture of your current license exposure, including dependencies and a complete history of every scan. SOOS offers every tool you need in SCA without bloatware. All of this capability comes with the industry’s simplest pricing model. Start enhancing security and saving time today.

Copyright © 2022 SOOS| Terms of Service | Privacy Policy