Article Sidebar

Submitted
July 24, 2025
Accepted
December 29, 2025
Published
January 18, 2026
Download
PDF (Bahasa Indonesia)
Statistic
Read Counter : 48 Download : 16

Main Article Content

Abstract

The popularity of Node.js as a server-side application development platform has introduced new security challenges stemming from the dynamic features of JavaScript. Vulnerabilities such as Unrestricted File Upload (UFU) and Server-Side JavaScript Injection (SSJI) often arise from insecure input handling and over-reliance on third-party libraries. This research aims to design, implement, and evaluate a multi-layered security mitigation model for Node.js-based web applications built using the Express.js framework. A constructive research approach was employed, wherein hybrid security middleware was developed to enforce comprehensive validation. This middleware integrates content-based file type validation (magic numbers), file name sanitization to prevent path traversal, and malicious input pattern blocking to mitigate SSJI and prototype pollution. The effectiveness of the model was empirically evaluated within a controlled local testing environment using the Jest testing framework by comparing a vulnerable application against its secured counterpart. Test results demonstrate that the proposed mitigation model successfully blocked 100% of the tested attack scenarios, achieving 100% test code coverage on the core security logic. This research yields a practical solution capable of enhancing the resilience of Node.js applications against common attacks exploiting language-specific features

Keywords

Node.js Unrestricted File Upload Server-Side JavaScript Injection Security Middleware

Article Details

License

Copyright (c) 2026 Salman Akbar Hasbullah, Mohamad Nurkamal Fauzan, Roni Andarsyah

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How to Cite
Hasbullah, S. A., Fauzan, M. N., & Andarsyah, R. (2026). Implementation Layered Mitigation Techniques for Unrestricted File Upload and Server-Side JavaScript Injection. Jurnal Sains, Nalar, Dan Aplikasi Teknologi Informasi, 5(1), 62–71. https://doi.org/10.20885/snati.v5.i1.42248
Download Citation
Endnote/Zotero/Mendeley (RIS)
BibTeX

References

  1. H. Hong, S. Woo, and S. Park, “CIRCUIT: A JavaScript Memory Heap-Based Approach for Precisely Detecting Cryptojacking Websites,” IEEE Access, vol. 10, no. September, pp. 95356–95368, 2022, doi: 10.1109/ACCESS.2022.3204814. DOI: https://doi.org/10.1109/ACCESS.2022.3204814
  2. T. Brito et al., “Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages,” IEEE Trans. Reliab., vol. 72, no. 4, pp. 1324–1339, 2023, doi: 10.1109/TR.2023.3286301. DOI: https://doi.org/10.1109/TR.2023.3286301
  3. S. An, A. Leung, J. B. Hong, T. Eom, and J. S. Park, “Toward Automated Security Analysis and Enforcement for Cloud Computing Using Graphical Models for Security,” IEEE Access, vol. 10, no. June, pp. 75117–75134, 2022, doi: 10.1109/ACCESS.2022.3190545. DOI: https://doi.org/10.1109/ACCESS.2022.3190545
  4. S. Fugkeaw and S. Rattagool, “FPRESSO: Fast and Privacy-Preserving SSO Authentication With Dynamic Load Balancing for Multi-Cloud-Based Web Applications,” IEEE Access, vol. 12, no. September, pp. 157888–157900, 2024, doi: 10.1109/ACCESS.2024.3485996. DOI: https://doi.org/10.1109/ACCESS.2024.3485996
  5. Y. Chen et al., “Understanding the Security Risks of Websites Using Cloud Storage for Direct User File Uploads,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 2677–2692, 2025, doi: 10.1109/TIFS.2025.3544082. DOI: https://doi.org/10.1109/TIFS.2025.3544082
  6. M. Alfadel, N. A. Nagy, D. E. Costa, R. Abdalkareem, and E. Shihab, “Empirical analysis of security-related code reviews in npm packages,” Journal of Systems and Software, vol. 203, p. 111752, 2023, doi: 10.1016/j.jss.2023.111752. DOI: https://doi.org/10.1016/j.jss.2023.111752
  7. S. Calzavara, S. Casarin, and R. Focardi, “Dynamic Security Analysis of JavaScript: Are We There Yet?,” WWW 2025 - Proceedings of the ACM Web Conference, pp. 1105–1115, 2025, doi: 10.1145/3696410.3714614. DOI: https://doi.org/10.1145/3696410.3714614
  8. M. Kang et al., “Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability,” Proc. IEEE Symp. Secur. Priv., vol. 2023-May, pp. 1059–1076, 2023, doi: 10.1109/SP46215.2023.10179352. DOI: https://doi.org/10.1109/SP46215.2023.10179352
  9. L. Yan, G. Zhao, X. Li, and P. Sun, “Secure software development: leveraging application call graphs to detect security vulnerabilities,” PeerJ Comput. Sci., vol. 11, pp. 1–26, 2025, doi: 10.7717/PEERJ-CS.2641. DOI: https://doi.org/10.7717/peerj-cs.2641
  10. M. B. I. N. Muzammil, M. Bilal, S. Ajmal, S. C. Shongwe, and Y. Y. Ghadi, “Unveiling Vulnerabilities of Web Attacks Considering Man in the Middle Attack and Session Hijacking,” IEEE Access, vol. 12, no. January, pp. 6365–6375, 2024, doi: 10.1109/ACCESS.2024.3350444. DOI: https://doi.org/10.1109/ACCESS.2024.3350444
  11. M. F. Rozi and T. A. O. Ban, “Detecting Malicious JavaScript Using Structure-Based Analysis of Graph Representation,” IEEE Access, vol. 11, no. September, pp. 102727–102745, 2023, doi: 10.1109/ACCESS.2023.3317266. DOI: https://doi.org/10.1109/ACCESS.2023.3317266
  12. C. Ntantogian, P. Bountakas, D. Antonaropoulos, C. Patsakis, and C. Xenakis, “NodeXP: NOde.js server-side JavaScript injection vulnerability DEtection and eXPloitation,” Journal of Information Security and Applications, vol. 58, no. January, p. 102752, 2021, doi: 10.1016/j.jisa.2021.102752. DOI: https://doi.org/10.1016/j.jisa.2021.102752
  13. S. Li, M. Kang, J. Hou, and Y. Cao, “Detecting Node.js prototype pollution vulnerabilities via object lookup analysis,” ESEC/FSE 2021 - Proceedings of the 29th ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 268–279, 2021, doi: 10.1145/3468264.3468542. DOI: https://doi.org/10.1145/3468264.3468542
  14. H. Oz, A. Acar, A. Aris, A. Kharraz, and S. Uluagac, “(In) Security of File Uploads in Node.js,” pp. 1573–1584, doi: 10.1145/3589334.3645342. DOI: https://doi.org/10.1145/3589334.3645342
  15. A. Sajadi, B. Le, A. Nguyen, K. Damevski, and P. Chatterjee, “Do LLMs consider security? an empirical study on responses to programming questions,” vol. 123, pp. 1–29, 2025, doi: 10.1007/s10664-025-10658-6. DOI: https://doi.org/10.1007/s10664-025-10658-6
  16. K. Iwamura, A. Akmal, and A. Mohd, “Secure User Authentication With Information Theoretic Security Using Secret Sharing-Based Secure Computation,” IEEE Access, vol. 13, no. January, pp. 9015–9031, 2025, doi: 10.1109/ACCESS.2025.3526632. DOI: https://doi.org/10.1109/ACCESS.2025.3526632
  17. M. Ferreira, I. I. S. Técnico, and U. De Lisboa, “Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs,” vol. 8, no. June, 2024, doi: 10.1145/3656394. DOI: https://doi.org/10.1145/3656394
  18. S. A. Ebad, “Exploring How to Apply Secure Software Design Principles,” IEEE Access, vol. 10, no. September, pp. 128983–128993, 2022, doi: 10.1109/ACCESS.2022.3227434. DOI: https://doi.org/10.1109/ACCESS.2022.3227434
  19. R. A. Khan, “Evaluating Performance of Web Application Security Through a Fuzzy Based Hybrid Multi-Criteria Decision-Making Approach: Design Tactics Perspective,” vol. 8, 2020. DOI: https://doi.org/10.1109/ACCESS.2020.2970784
  20. A. N. Syauqi and N. Q. Nada, “Analisis Kinerja Website Informatika UPGRIS melalui Pengujian Performa Menggunakan JMeter,” in Prosiding Seminar Nasional Informatika, 2023, pp. 965–971.