What is XSS?
Simply we can say that XSS (Cross-site scripting) is a JavaScript code injection on web applications. Attackers use vulnerable web apps to inject malicious javascript code or a script. There are several types of XSS attacks.
The risks of having an XSS vulnerability
The malicious script can access any cookies, session tokens, or other sensitive information kept by the browser and used with that app. These scripts can even rewrite the content of the web page.
The impact an XSS vulnerability can make on a business
In a worst-case scenario, an attacker could take over the whole web application. It results in leaking all of your user's data, gaining access to all the user accounts, and accessing the restricted areas of your web app, such as the admin panel.
How to fix the XSS vulnerabilities?
Proper sanitization of the user inputs is one of the best methods to fix an XSS vulnerability. Below are the methods to prevent an XSS attack.
Proper sanitization of inputs
Encoding the output data
Using proper response headers
Content security policy header
How to prevent XSS in Node.js?
There are several node packages available to prevent XSS through proper sanitization. We are using only the best ones available out there.
1. Input sanitization using the validator library.
const validator = require('validator');
let string = "\"><script>alert(1234);</script>"
let sanitized_string = validator.escape(string);
console.log(" \n The input string is: ", string);
console.log("The sanitized string is: ",sanitized_string)
Console output of the above code:
The input string is: "><script>alert(1234);</script>
The sanitized string is: "><script>alert(1234);</script>
validator.escape() replaces <, >, &, ', " and / with HTML entities.
Other than escaping these characters, a lot of sanitization and validation functions are available in the package validator. Check it out here: validator npm package
2. Input sanitization using xss module
xss is an npm module used to filter input from users to prevent XSS attacks.
let xss = require("xss");
let string = "<script>alert(1234);</script>"
let sanitized_string = xss(string);
console.log(" \n The input string is: ", string);
console.log("The sanitized string is: ",sanitized_string)
Console output of the above code:
The input string is: <script>alert(1234);</script>
The sanitized string is: <script>alert(1234);</script>
The xss module is specifically developed for preventing XSS vulnerabilities. You can learn more about it here: npmjs.com/package/xss
How to prevent XSS in ExpressJS?
express-validatoris a set of express.js middlewares that wrapsvalidator.jsvalidator and sanitizer functions.
Input sanitization using Express-validator
const express = require('express');
const { body } = require('express-validator');
const app = express();
app.use(express.json());
app.post(
'/comment',
body('text').escape(),
(req, res) => {
res.send("The sanitized text is: " + req.body.text);
},
);
app.listen(5000, ()=>{
console.log("server is listening on port 5000")
})
We can send a POST request to the /comment route, as given below:
POST /comment HTTP/1.1
Host: localhost:5000
Content-Type: application/json
Content-Length: 42
{
"text":"<script>alert(1337);</script>"
}
The response to the above request:
The sanitized text is: <script>alert(1337);</script>
You can learn more about express-validator here: npmjs.com/package/express-validator
Conclusion
We have covered only the sanitization method to prevent XSS. As we have seen earlier, there are some more methods for reducing the impact of an XSS attack. I will update this blog post by adding those XSS prevention methods as well.
Need to find & fix XSS issues on your app?
Feel free to contact me on Linkedin: https://www.linkedin.com/in/usama-varikkottil/