The intent of this thesis was to develop a tool (referred as NodeXP) capable of detecting possible vulnerabilities on Node.js services and exploiting them in order to create proof-of-concept (PoC). The above processes are making use of Server Side JavaScript Injection (SSJI) vulnerability and its attack methods and are completely separated, yet integrated on the same tool and interacting with each other with minimum user insertion. The detection process is done through dynamic analysis using two different injection techniques (Blind Based Injection Technique and Results Based Injection Technique). Through the execution of any of the injection techniques, payloads listed on a certain text file are parsed and injected, through HTTP requests (wordlist method). The exploitation process aims to create a Meterpreter session between the user and the vulnerable service which is done through interacting with Metasploit framework. When detection process is successfully done then the exploitation process is taking place based on detection’s findings. During both the detection and the exploitation processes, only one GET or POST parameter could be injected at a time. The tool’s intention is to point those security issues out through accuracy and mitigation of false positives and false negatives. The above requirement might lead to some time and performance penalty. Thus, some helpful flags provided are able to handle this ratio depending on user’s need. Through the thesis are presented real-world and custom-made examples on Node.js services, demonstrating the detection as well as the exploitation of the vulnerabilities found. The tool’s purpose is strictly informational and educational, and the tool could also be very helpful during the process of a penetration test. Any other malicious or illegal usage of the tool is strongly not recommended and is clearly not a part of the purpose of this research.