Getting reflected Cross-Site Scripting (XSS) attack in node js
Question
I am getting Reflected Cross-Site Scripting (XSS) attack in the below chunk of code,
const getData = async function (req, res) {
const { query } = req.body;
const requestBody = formRequestBody(query);
const { authorization } = req.headers;
try {
const { data } = await axios(url, {
body: requestBody,
headers: {
Authorization: authorization
}
});
if (data) {
res.send(data);
}
} catch (error) {
console.log(error);
}
};
I tried adding a sanitary function and sanitized the query string like below,
const sanitizeString = (string) => {
const escapeCharsMap = {
'&': '&',
'<': '<',
'>': '>',
'"': '"',
"'": ''',
'/': '/'
};
const reg = /[&<>"'/]/gi;
return string.replace(reg, (match) => escapeCharsMap[match]);
};
I changed formRequestBody(query) to formRequestBody(sanitizeString(query)) , still getting the issue.
How could I resolve it?
1 answers
solution1
1 2021-04-26 10:17:04
XSS attacks work by the attacker tricking the user into make a particular request, usually via the attackers website.
Changing the code which makes the request from your site won't have any effect on the code running on the attacker's site.
You need to defend against XSS when generating the output from whatever url points to, not by controlling the input to it from your site.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.