Lack of data validation - Headers - Typescript

Need

Implementation of proper data validation for HTTP headers

Context

1. Usage of TypeScript for static typing and enhanced tooling in Node.js development
2. Usage of Express for building web applications and APIs

Description

Insecure Code Example

import express from 'express';

const app = express();

app.get('/user', (req, res) => {
  const name = req.headers['name'];
  res.send(`<h1>Welcome, ${name}!</h1>`);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The vulnerability in this code lies in the lack of data validation for the "name" header. The code retrieves the value of the "name" header from the request headers using `req.headers['name']` and then directly uses it in the response without any validation or sanitization. This can lead to a potential Cross-Site Scripting (XSS) attack. An attacker can manipulate the "name" header and inject malicious code, such as JavaScript, which will be executed by the victim's browser when they visit the "/user" route. This can allow the attacker to steal sensitive information, perform actions on behalf of the user, or compromise the integrity of the application. Additionally, the lack of data validation can also lead to other types of attacks, such as injection attacks, where an attacker can inject potentially dangerous characters into the "name" header, compromising the integrity of the stored information or causing unexpected behavior in the application. To mitigate this vulnerability, it is recommended to implement server-side validation and sanitization of the data received from the headers. This can include checking the data type, length, and format, as well as applying appropriate sanitization techniques to prevent any malicious code from being executed.

Steps

1. Validate the 'name' header on the server side to ensure it contains safe characters
2. Implement proper input sanitization to prevent XSS attacks
3. Consider using a library or framework that provides built-in validation and sanitization features
4. Educate developers about the importance of input validation and security best practices

Secure Code Example

import express from 'express';
import { sanitize } from 'express-validator';

const app = express();

app.get('/user', [
  sanitize('name').escape(),
], (req, res) => {
  const name = req.headers['name'];
  res.send(`<h1>Welcome, ${name}!</h1>`);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});

The fixed code addresses the vulnerability by implementing data validation on the server side. First, the code imports the necessary modules, including the `express` module and the `sanitize` function from the `express-validator` module. Next, an instance of the Express application is created using `express()`. The code defines a route for the `/user` endpoint using the `app.get()` method. Inside the route handler, the `sanitize` function is used to sanitize the value of the `name` header by calling the `escape()` method. This ensures that any potentially dangerous characters are properly escaped. The sanitized value of the `name` header is then retrieved from `req.headers['name']` and stored in the `name` variable. Finally, the server responds with a HTML message that includes the sanitized `name` value, preventing any potential XSS attacks. The server is set to listen on port 3000 using the `app.listen()` method. By implementing data validation and sanitization on the server side, the fixed code mitigates the risk of injecting potentially dangerous characters into application fields.

References

Last updated

2023/09/18