在节点 js 中获得反射的跨站点脚本 (XSS) 攻击
[英]Getting reflected Cross-Site Scripting (XSS) attack in node js
问题描述
I am getting Reflected Cross-Site Scripting (XSS) attack in the below chunk of code,
我在下面的代码块中受到反射跨站点脚本 (XSS) 攻击,
const getData = async function (req, res) {
const { query } = req.body;
const requestBody = formRequestBody(query);
const { authorization } = req.headers;
try {
const { data } = await axios(url, {
body: requestBody,
headers: {
Authorization: authorization
}
});
if (data) {
res.send(data);
}
} catch (error) {
console.log(error);
}
};
I tried adding a sanitary function and sanitized the query string like below,我尝试添加一个卫生的 function 并清理查询字符串,如下所示,
const sanitizeString = (string) => {
const escapeCharsMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/'
};
const reg = /[&<>"'/]/gi;
return string.replace(reg, (match) => escapeCharsMap[match]);
};
I changed formRequestBody(query) to formRequestBody(sanitizeString(query)) , still getting the issue.我将formRequestBody(query)更改为formRequestBody(sanitizeString(query)) ,仍然遇到问题。
How could I resolve it?我该如何解决?
1 个解决方案
解决方案1
1 2021-04-26 10:17:04
XSS attacks work by the attacker tricking the user into make a particular request, usually via the attackers website. XSS 攻击的工作原理是攻击者诱骗用户发出特定请求,通常是通过攻击者的网站。
Changing the code which makes the request from your site won't have any effect on the code running on the attacker's site.更改从您的站点发出请求的代码不会对攻击者站点上运行的代码产生任何影响。
You need to defend against XSS when generating the output from whatever url points to, not by controlling the input to it from your site.在从url指向的任何位置生成 output 时,您需要防御 XSS,而不是通过控制从您的站点对其的输入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.