Frosted Cupcake
Reputation: 1970
Getting reflected Cross-Site Scripting (XSS) attack in node js
I am getting Reflected Cross-Site Scripting (XSS) attack in the below chunk of code,
const getData = async function (req, res) {
const { query } = req.body;
const requestBody = formRequestBody(query);
const { authorization } = req.headers;
try {
const { data } = await axios(url, {
body: requestBody,
headers: {
Authorization: authorization
}
});
if (data) {
res.send(data);
}
} catch (error) {
console.log(error);
}
};
I tried adding a sanitary function and sanitized the query string like below,
const sanitizeString = (string) => {
const escapeCharsMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/'
};
const reg = /[&<>"'/]/gi;
return string.replace(reg, (match) => escapeCharsMap[match]);
};
I changed formRequestBody(query) to formRequestBody(sanitizeString(query)), still getting the issue.
How could I resolve it?
Upvotes: 0
Views: 1408
Answers (1)
Quentin
Reputation: 944210
XSS attacks work by the attacker tricking the user into make a particular request, usually via the attackers website.
Changing the code which makes the request from your site won't have any effect on the code running on the attacker's site.
You need to defend against XSS when generating the output from whatever url points to, not by controlling the input to it from your site.
Upvotes: 1
Related Questions
- Preventing XSS in Node.js / server side javascript
- Javascript XSS Prevention
- How to fix Reflected XSS vulnerability in my node.js application
- how to protect server side script and hidden which are writing with Node.js
- Does the following error log xss attack?
- Issue regarding the XSS (Cross Site Scripting) attack
- Is the following javascript safe from arbitrary code execution?
- How is this code protecting against XSS attacks?
- Cross Site Scripting Attack, troubles
- How to avoid "Cross-Site Script Attacks"