Lack of data validation - Reflected Parameters
Need
Implementation of proper data validation and sanitization for user input
Context
- Usage of TypeScript for statically typed JavaScript development
- Usage of Express for building web applications and APIs
Description
Non compliant code
import express from 'express';
const app = express();
app.get('/search', (req, res) => {
const searchTerm = req.query.term;
res.send(`<h1>Search Results for: ${searchTerm}</h1>`);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The vulnerability in the given code is a lack of data validation for the searchTerm parameter obtained from the query string.
In the code, the server receives a GET request to the '/search' endpoint and extracts the value of the term query parameter using req.query.term. This value is then directly used to construct an HTML response using template literals.
The problem arises when the searchTerm contains special characters or malicious input. Since there is no validation or sanitization of the searchTerm value, it can be abused to inject malicious code, such as a cross-site scripting (XSS) attack.
An attacker can craft a URL with a malicious term parameter, containing JavaScript code or HTML tags. When the server responds with the search results, the injected code will be executed in the context of the user's browser, potentially leading to unauthorized actions or data theft.
To mitigate this vulnerability, it is recommended to validate and sanitize user input on the server side. This can be done by implementing input validation and sanitization techniques, such as using regular expressions or a library specifically designed for input validation. Additionally, it is important to encode user input when including it in HTML responses to prevent XSS attacks.
Steps
- Validate the 'searchTerm' variable on the server side to ensure it does not contain any special characters
- Use a library or built-in functions to sanitize the 'searchTerm' variable before using it in the response
- Escape any user input before including it in the HTML response to prevent XSS attacks
Compliant code
import express from 'express';
import { sanitize } from 'sanitize-html';
const app = express();
app.get('/search', (req, res) => {
const searchTerm = sanitize(req.query.term);
res.send(`<h1>Search Results for: ${searchTerm}</h1>`);
});
app.listen(3000, () => {
console.log('Server is running on port 3000');
});
The fixed code addresses the vulnerability by implementing data validation on the server side.
First, the code imports the necessary modules, including the express framework and the sanitize function from the sanitize-html module.
Next, an instance of the Express application is created using express().
The code sets up a GET route for the '/search' endpoint. Inside the route handler, the user input is retrieved from the query parameter term using req.query.term.
To ensure the input is safe, the sanitize function is used to sanitize the input and remove any potentially harmful HTML or special characters. This helps prevent cross-site scripting (XSS) attacks.
Finally, the sanitized input is used to generate a response that includes the search term in an HTML heading. The response is sent using the res.send method.
The server is then set to listen on port 3000 using the app.listen method.
By validating and sanitizing the user input on the server side, the fixed code mitigates the risk of injecting special characters in server responses and helps prevent vulnerabilities such as XSS.