Overview
Injection vulnerabilities in Node.js (Express) apps allow attackers to alter server-side queries or commands by supplying crafted input. In production APIs, this can lead to authentication bypass, data leakage, data corruption, or privilege escalation. When user input is concatenated into SQL strings, or used to build NoSQL queries, an attacker may execute arbitrary queries or commands that the application layer should never permit.
In Express-based services, these flaws commonly arise from building queries by string interpolation or directly evaluating user-supplied data. Attackers can craft payloads that modify query logic, access unauthorized rows, or delete records. If user input reaches the operating system through commands, an attacker could run arbitrary shell commands, potentially taking over the host.
Remediation involves using parameterized queries or query builders for all data stores, validating and sanitizing inputs, and avoiding dynamic code execution paths. Apply least privilege database accounts, enable strict error handling, and run a web firewall or security scanner. Implement centralized input validation libraries and adopt secure defaults in Express apps (Helmet, content security policies, and proper logging).
Code Fix Example
Node.js (Express) API Security Remediation
Vulnerable:
const mysql = require('mysql2/promise');
async function getUser(username) {
const connection = await mysql.createConnection({host:'localhost', user:'root', database:'test'});
const vulnerableQuery = `SELECT * FROM users WHERE username = '${username}'`;
const [rows] = await connection.execute(vulnerableQuery);
await connection.end();
return rows;
}
Fixed:
async function getUserSafe(username) {
const mysql = require('mysql2/promise');
const connection = await mysql.createConnection({host:'localhost', user:'root', database:'test'});
const safeQuery = 'SELECT * FROM users WHERE username = ?';
const [rows] = await connection.execute(safeQuery, [username]);
await connection.end();
return rows;
}