- vừa được xem lúc

Blog#183: 🔐Protecting against Cross-Site Scripting (XSS) Attacks in Node.js

0 0 26

Người đăng: NGUYỄN ANH TUẤN

Theo Viblo Asia

183

Hi, I'm Tuan, a Full-stack Web Developer from Tokyo 😊. Follow my blog to not miss out on useful and interesting articles in the future.

Introduction

Cross-Site Scripting (XSS) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This can lead to a range of security issues, such as stealing user data or performing unauthorized actions on behalf of the user. In this article, we will discuss how to protect your Node.js and Express.js applications from XSS attacks with simple and effective techniques.

Understanding XSS Attacks

Before diving into the solutions, let's briefly explore how XSS attacks work. There are three main types of XSS attacks:

  1. Stored XSS: The attacker injects a malicious script into the website's database, which is then executed when users view the affected page.
  2. Reflected XSS: The attacker sends a URL containing the malicious script to the victim, who clicks the link and unknowingly executes the script on their browser.
  3. DOM-based XSS: The attacker manipulates the Document Object Model (DOM) of a web page, causing the browser to execute the malicious script.

Securing Input Validation

Validate and Sanitize User Input

The first line of defense against XSS attacks is to validate and sanitize user input. This involves checking the input data for malicious content and removing or encoding any unsafe characters.

const sanitize = require('sanitize-html'); function validateAndSanitizeInput(input) { // Perform input validation, e.g. checking the input length, format, etc. if (typeof input !== 'string' || input.length > 100) { throw new Error('Invalid input'); } // Sanitize the input to remove unsafe characters and HTML tags const sanitizedInput = sanitize(input, { allowedTags: [], // Disallow all HTML tags allowedAttributes: {}, // Disallow all attributes }); return sanitizedInput;
}

By using the sanitize-html library, you can easily sanitize user input to prevent the execution of malicious scripts. Remember to validate the input data according to your application's requirements, such as length or format constraints.

Use Prepared Statements for Database Queries

To protect your application from stored XSS attacks, always use prepared statements when querying the database. This helps prevent SQL injection attacks and ensures that user input is properly escaped. Here's an example using the mysql library in Node.js:

const mysql = require('mysql');
const connection = mysql.createConnection({ /* Your connection config */ }); const userInput = "'; DROP TABLE users; --";
const sanitizedInput = validateAndSanitizeInput(userInput); const sql = 'SELECT * FROM users WHERE username = ?';
connection.query(sql, [sanitizedInput], (error, results, fields) => { if (error) { console.error('Error querying the database:', error); } else { console.log('Results:', results); }
});

By using prepared statements with placeholders (?), you ensure that the user input is escaped and treated as a value, not as part of the SQL query.

Securing Output Encoding

Encode Data Before Displaying in HTML

When displaying user-generated content in your web application, always encode the data to prevent the browser from interpreting it as HTML or JavaScript code. The escape-html library can be used to achieve this:

const escape = require('escape-html'); function displayUserContent(content) { const safeContent = escape(content); // Insert safeContent into your HTML template, e.g. using a templating engine
}

This will convert characters like <, >, &, ', and " into their HTML entities, making them safe to display in your application.

Set Content Security Policy (CSP) Headers

Content Security Policy (CSP) is a security feature that helps prevent XSS attacks by restricting the sources of content that can be loaded by a web page. By setting the CSP headers in your Express.js application, you can control which scripts, styles, images, and other resources can be loaded.

const express = require('express');
const app = express(); app.use((req, res, next) => { res.setHeader( 'Content-Security-Policy', "default-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';" ); next();
});

This example sets a strict CSP that only allows resources from the same origin ('self') to be loaded. You can adjust the policy according to your application's needs, but keep in mind that a more restrictive policy provides better security.

Using Secure Templating Engines

Templating engines help you generate HTML content dynamically by combining data with HTML templates. Some templating engines, such as EJS and Pug, have built-in protection against XSS attacks.

EJS

EJS is a popular templating engine that automatically escapes output by default. To use EJS with Express.js, you can install the ejs package and configure it as your view engine:

const express = require('express');
const app = express(); app.set('view engine', 'ejs');

Then, when rendering an EJS template, any variables included using the<%= %> syntax will be automatically escaped:

<!-- views/user.ejs -->
<h1><%= user.name %></h1>

Pug

Pug is another popular templating engine with built-in XSS protection. To use Pug with Express.js, install the pug package and set it as your view engine:

const express = require('express');
const app = express(); app.set('view engine', 'pug');

In Pug templates, any variables included using the #{} syntax will be automatically escaped:

//- views/user.pug
h1 #{user.name}

Conclusion

Protecting your Node.js and Express.js applications from XSS attacks is crucial to ensuring the security of your users' data. By following the best practices discussed in this article, such as validating and sanitizing user input, encoding output data, setting CSP headers, and using secure templating engines, you can greatly reduce the risk of XSS vulnerabilities in your applications. Always stay informed about the latest security threats and best practices to keep your application safe and secure.

And Finally

As always, I hope you enjoyed this article and got something new. Thank you and see you in the next articles!

If you liked this article, please give me a like and subscribe to support me. Thank you. 😊

Ref

Bình luận

Bài viết tương tự

- vừa được xem lúc

Cài đặt WSL / WSL2 trên Windows 10 để code như trên Ubuntu

Sau vài ba năm mình chuyển qua code trên Ubuntu thì thật không thể phủ nhận rằng mình đã yêu em nó. Cá nhân mình sử dụng Ubuntu để code web thì thật là tuyệt vời.

0 0 396

- vừa được xem lúc

Hướng dẫn làm bot Facebook messenger cho tài khoản cá nhân

Giới thiệu. Trong bài viết trước thì mình có hướng dẫn các bạn làm chatbot facebook messenger cho fanpage. Hôm nay mình sẽ hướng dẫn các bạn tạo chatbot cho một tài khoản facebook cá nhân. Chuẩn bị.

0 0 195

- vừa được xem lúc

Crawl website sử dụng Node.js và Puppeteer - phần 2

trong phần 1 mình đã giới thiệu về puppeteer và tạo được 1 project cùng một số file đầu tiên để các bạn có thể crawl dữ liệu từ một trang web bất kỳ. Bài này mình sẽ tiếp nối bài viết trước để hoàn thiện seri này.

0 0 73

- vừa được xem lúc

Điều React luôn giữ kín trong tim

■ Mở đầu. Ngồi viết bài khi đang nghĩ vu vơ chuyện con gà hay quả trứng có trước, mình phân vân chưa biết sẽ chọn chủ đề gì để chúng ta có thể cùng nhau bàn luận.

0 0 59

- vừa được xem lúc

Gửi Mail với Nodejs và AWS SES

AWS SES. AWS SES là gì.

0 0 83

- vừa được xem lúc

Crawl website sử dụng Node.js và Puppeteer - phần 1

Bài viết này mình sẽ giới thiệu cho các bạn craw dữ liệu của web site sử dụng nodejs và Puppeteer. .

0 0 164