stackoom
  简体   繁体   中英

JavaScript, This can enable a Reflected Cross-Site Scripting (XSS) attack

 原文  2021-07-27 16:58:06       javascript/ xss/ sanitization

Question

I have this code:

const implementation = async (req, res, next) => {
  const rut = req.user && req.user.nickname.toUpperCase();
  const data =  req.body; // ERROR !!!
  if (!rut || !data) res.send(400, {message: 'Error al recibir los datos'});
  let MetaData = await UserMetadata.findOneAndUpdate({rut}, {emergencyContact: data}, {new: true});
  if (!MetaData) res.send(400, {message: 'Ha ocurrido un error'});
  return res.send(200, MetaData);
};

Codegate is giving me a security error in the line 3:

The application's async embeds untrusted data in the generated output with send, at line 3 of "my file". This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code into the output.

The attacker would be able to alter the returned web page by simply providing modified data in the user input body, which is read by the async method at line 3 of "my file". This input then flows through the code straight to the output web page, without sanitization.

This can enable a Reflected Cross-Site Scripting (XSS) attack.

How can avoid that security issue?

I tried with:

const data =  JSON.parse(decodeURIComponent(encodeURIComponent(req.body)));

The error disappear with encodeURIComponent functions but that doesn't have sense. Any hint?

EDIT: Full function now, the original one that has the error, and I must to "encode" or something to avoid the error.

Expected output: 在此处输入图片说明

1 answers

solution1
 0  2021-07-27 18:02:54

Seriously, I don't why but this works:

const implementation = async (req, res, next) => {
  const rut = req.user && req.user.nickname.toUpperCase();
  const data =  encodeURIComponent(JSON.stringify(req.body));
  if (!rut || !data) res.send(400, {message: 'Error al recibir los datos'});
  let MetaData = await UserMetadata.findOneAndUpdate(
    {rut}, {emergencyContact: JSON.parse(decodeURIComponent(data))}, {new: true}
  );
  if (!MetaData) res.send(400, {message: 'Ha ocurrido un error'});
  return res.send(200, MetaData);
};

Its kinda stupid to do and revert 2 things, the encodeURI and the stringify but Codegate now won't alert me for the error. I would love to know why was the error

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Getting reflected Cross-Site Scripting (XSS) attack in node js XSS Cross Site Scripting Reflected in JavaScript file Cross-site Scripting (XSS) using a hyphen Issue regarding the XSS (Cross Site Scripting) attack call to innerHTML contains a cross-site scripting (XSS) Fortify scan issue for (XSS) Cross-Site Scripting: DOM C# MVC Cross-Site Scripting (XSS) Prevention How to prevent our URL from Cross-site scripting (XSS)? Avoid cross-site scripting (XSS) in vue toasted notification title i am getting warning Cross-site Scripting (XSS) with innerHTML
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM