logo

Database

Insecure service configuration

Need

Secure service configuration to prevent XSS attacks

Context

• Usage of Dart for building cross-platform applications

• Usage of Shelf for managing and organizing data in a Node.js application

Description

1. Non compliant code

import 'package:shelf/shelf.dart' as shelf;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080).then((server) {
  });...

In the above code, we are using the shelf framework to create a server that listens to requests on `localhost` at port `8080`. The `_echoRequest` function is used as a handler for all incoming requests. The vulnerability lies in the fact that there is no validation or sanitization of the incoming requests. This means that if the incoming request contains a script (JavaScript for example), it will be echoed back in the response. This makes the server susceptible to Cross-Site Scripting (XSS) attacks. An attacker can send a request containing a script, and when the server echoes back the script in the response, it can be executed in the user's browser, leading to potential data theft or other malicious activity. To mitigate this vulnerability, we need to add request validation in the `_echoRequest` function to sanitize the incoming requests and prevent any potential XSS attacks.

2. Steps

• Identify the server configuration files in your project.

• Locate the section where requestValidationMode is to be assigned.

• Set the requestValidationMode to a secure setting. This setting will validate input from all requests to prevent XSS attacks.

• Ensure that the setting is applied globally across all pages and not just specific ones.

• Test the application to ensure that the new setting does not break any functionality.

• Regularly review and update the server configuration to maintain security.

3. Secure code example

import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;
import 'package:shelf_xss_filter/shelf_xss_filter.dart';

void main() {
  var handler = const shelf.Pipeline()
      .addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);...

The original code was vulnerable to Cross-Site Scripting (XSS) attacks because it did not validate or sanitize input from requests. This is a common security issue where an attacker can inject malicious scripts into web pages viewed by other users. To fix this vulnerability, we added a middleware to the server pipeline that filters out potential XSS attacks. This is done using the `shelf_xss_filter` package, which provides a middleware function `xssFilter()`. This function sanitizes any input from requests to prevent XSS attacks. The `xssFilter()` middleware is added to the pipeline using the `addMiddleware()` function. This ensures that every request goes through the XSS filter before it is handled by the `_echoRequest` function. After applying this fix, the server will sanitize all incoming requests to prevent XSS attacks. This does not affect the functionality of the server, but it significantly improves its security.