How to fix XSS vulnerabilities in Node.js and expressJS

How to fix XSS vulnerabilities in Node.js and expressJS

What is XSS?

Simply we can say that XSS (Cross-site scripting) is a JavaScript code injection on web applications. Attackers use vulnerable web apps to inject malicious javascript code or a script. There are several types of XSS attacks.

The risks of having an XSS vulnerability

The malicious script can access any cookies, session tokens, or other sensitive information kept by the browser and used with that app. These scripts can even rewrite the content of the web page.

The impact an XSS vulnerability can make on a business

In a worst-case scenario, an attacker could take over the whole web application. It results in leaking all of your user's data, gaining access to all the user accounts, and accessing the restricted areas of your web app, such as the admin panel.

How to fix the XSS vulnerabilities?

Proper sanitization of the user inputs is one of the best methods to fix an XSS vulnerability. Below are the methods to prevent an XSS attack.

  1. Proper sanitization of inputs

  2. Encoding the output data

  3. Using proper response headers

  4. Content security policy header

How to prevent XSS in Node.js?

There are several node packages available to prevent XSS through proper sanitization. We are using only the best ones available out there.

1. Input sanitization using the validator library.

const validator = require('validator');

let string = "\"><script>alert(1234);</script>"
let sanitized_string = validator.escape(string);
console.log(" \n The input string is: ", string);
console.log("The sanitized string is: ",sanitized_string)

Console output of the above code:

The input string is:  "><script>alert(1234);</script>
The sanitized string is:  &quot;&gt;&lt;script&gt;alert(1234);&lt;&#x2F;script&gt;

validator.escape() replaces <, >, &, ', " and / with HTML entities.

Other than escaping these characters, a lot of sanitization and validation functions are available in the package validator. Check it out here: validator npm package

2. Input sanitization using xss module

xss is an npm module used to filter input from users to prevent XSS attacks.

let xss = require("xss");
let string = "<script>alert(1234);</script>"
let sanitized_string = xss(string);
console.log(" \n The input string is: ", string);
console.log("The sanitized string is: ",sanitized_string)

Console output of the above code:

The input string is:  <script>alert(1234);</script>
The sanitized string is:  &lt;script&gt;alert(1234);&lt;/script&gt;

The xss module is specifically developed for preventing XSS vulnerabilities. You can learn more about it here: npmjs.com/package/xss

How to prevent XSS in ExpressJS?

express-validator is a set of express.js middlewares that wraps validator.js validator and sanitizer functions.

Input sanitization using Express-validator

const express = require('express');
const { body } = require('express-validator');

const app = express();
app.use(express.json());

app.post(
  '/comment',
  body('text').escape(), 
  (req, res) => {
    res.send("The sanitized text is: " + req.body.text);
  },
);

app.listen(5000, ()=>{
  console.log("server is listening on port 5000")
})

We can send a POST request to the /comment route, as given below:

POST /comment HTTP/1.1
Host: localhost:5000
Content-Type: application/json
Content-Length: 42

{
"text":"<script>alert(1337);</script>"
}

The response to the above request:

The sanitized text is: &lt;script&gt;alert(1337);&lt;&#x2F;script&gt;

You can learn more about express-validator here: npmjs.com/package/express-validator

Conclusion

We have covered only the sanitization method to prevent XSS. As we have seen earlier, there are some more methods for reducing the impact of an XSS attack. I will update this blog post by adding those XSS prevention methods as well.

Need to find & fix XSS issues on your app?

Feel free to contact me on Linkedin: https://www.linkedin.com/in/usama-varikkottil/

Did you find this article valuable?

Support Usama Varikkottil by becoming a sponsor. Any amount is appreciated!