When pentesting Node.js applications, common vulnerabilities to watch for include injection attacks, insecure dependencies, insufficient input validation, and poorly configured security headers. Tools like OWASP ZAP, Burp Suite, and specific Node.js-focused tools like nsp (Node Security Platform) or npm audit can help identify security flaws. For best practices, keep your dependencies updated, use environment variable management for secrets, and consider implementing security libraries like Helmet for securing HTTP headers. Resources like the OWASP NodeGoat project can provide hands-on experience in identifying and mitigating common security issues.