Check security and performance of Meteor.js



I would like to ask you about Meteor.js security.

I am writing a thesis about Meteor.js and I try to check performance and security of Meteor.js :-).

I would like to ask you for ideas what things can I check. I wrote simple framework to test external Meteor.js instance.

For now, in my framework I can:

  • Spawn N users on external Meteor.js instance
  • Fire a method on external Meteor.js instance by N users in asynchronous time
  • Subscribe a publication on external Meteor.js instance by N users in asynchronous time
  • Check if collections have correctly allow/deny values. User can choose the name of the collection, number of tests and set if insert/update/remove should be allow or deny. After that, framework try to insert || update || remove and show the results.
  • Fire a insert || remove || update on collection.

All tests were made on another Meteor.js instance using the node-ddp npm module (to connect with another Meteor.js instance) and Kadira package.

I want to run hundreds of tests and then comparing all the results.

Does anybody have some ideas for security tests?


From a blackbox perspective, method and pub/sub fuzzing could be incredibly powerful. While using the application in a “normal” way, record all method calls and subscriptions made from the client. With all of that recorded data, you can fuzz the arguments passed into each method or publication, looking for interesting errors (or a lack of errors).

Type fuzzing may be especially useful. If a method is normally called with a string argument, but your fuzzer passes in an object without the method complaining, the application may not be properly checking its arguments, which can lead to all kinds of nasty things.