Typescript Reflected Xss Protection Disabled
Description
Detects code patterns in TypeScript/JavaScript applications where Cross-Site Scripting (XSS) protections are explicitly disabled or weakened, potentially allowing malicious scripts to be injected and executed. This creates security risks by permitting untrusted content to run in users' browsers.
Detection Strategy
• Identifies assignments or configurations that disable XSS protections in content security settings
• Detects when dangerous HTML rendering options are enabled like dangerouslySetInnerHTML in React
• Flags instances where content sanitization is explicitly bypassed
• Checks for unsafe content insertion into DOM elements without proper escaping
• Reports vulnerabilities when content security policies are set to unsafe-inline or unsafe-eval
Vulnerable code example
const express = require('express');
const app = express();
app.get('/hello', (req, res) => {
const user = req.query.user;
res.setHeader('X-XSS-Protection', '0'); // Deliberately disabling XSS protection
res.send(`
<html>...✅ Secure code example
const express = require('express');
const app = express();
// Validate user input to only allow safe characters
function validateUser(input) {
const str = String(input || '');
return /^[\w .-]{1,100}$/.test(str) ? str : ''; // Restrict to alphanumeric, spaces, dots, dashes
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.