Skip to content

XSS-PROTECTION.md

Latest commit

 

History

History
151 lines (108 loc) · 3.77 KB

XSS-PROTECTION.md

File metadata and controls

151 lines (108 loc) · 3.77 KB

XSS Protection Implementation

This document outlines the XSS (Cross-Site Scripting) protection measures implemented in the TradeFlow API.

Overview

The TradeFlow API now includes XSS protection middleware to prevent malicious script injection through query parameters and user input.

Implementation Details

1. Middleware Installation

Added xss-clean library to package.json:

{
  "dependencies": {
    "xss-clean": "^0.1.1"
  }
}

2. Global Middleware Configuration

The XSS protection middleware is applied globally in src/main.ts:

import * as xssClean from 'xss-clean';

// Apply XSS protection middleware globally
app.use(xssClean());

This middleware:

  • Sanitizes request body, query parameters, and URL parameters
  • Removes dangerous HTML tags and JavaScript code
  • Prevents XSS attacks through user input

3. Test Endpoints

Created test endpoints in src/tokens/tokens.controller.ts:

Protected Endpoint

  • URL: /api/v1/tokens
  • Method: GET
  • Query Parameter: search
  • Protection: XSS middleware sanitizes input

Vulnerable Endpoint (for testing)

  • URL: /api/v1/tokens/vulnerable
  • Method: GET
  • Query Parameter: search
  • Purpose: Demonstrates vulnerability without protection

Testing

Manual Testing

  1. Start the server:
npm install
npm run start:dev
  1. Test with malicious payloads:
# Test script tag injection
curl "http://localhost:3000/api/v1/tokens?search=<script>alert('XSS')</script>"

# Test vulnerable endpoint
curl "http://localhost:3000/api/v1/tokens/vulnerable?search=<script>alert('XSS')</script>"

Automated Testing

Run the test script:

node test-xss-protection.js

Test Cases

The following malicious payloads are tested:

  1. Basic script tag: <script>alert("XSS")</script>
  2. IMG tag with onerror: <img src="x" onerror="alert('XSS')">
  3. JavaScript protocol: javascript:alert("XSS")
  4. SVG tag: <svg onload="alert('XSS')">
  5. HTML entity encoded: &lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;

Expected Behavior

With XSS Protection (Protected Endpoint)

  • Malicious HTML tags are removed or escaped
  • JavaScript code is sanitized
  • Safe content is returned to the client

Without XSS Protection (Vulnerable Endpoint)

  • Malicious content is reflected back unchanged
  • Potential for script execution in browsers
  • Security vulnerability

Security Benefits

  1. Input Sanitization: Removes dangerous characters and tags
  2. Global Protection: Applied to all routes automatically
  3. Minimal Performance Impact: Lightweight middleware
  4. Automatic Defense: No manual sanitization required per endpoint

Best Practices

  1. Always validate input in addition to XSS protection
  2. Use parameterized queries for database operations
  3. Implement Content Security Policy headers
  4. Keep dependencies updated for latest security patches
  5. Regular security testing with various attack vectors

Middleware Configuration Options

The xss-clean middleware can be configured with options:

app.use(xssClean({
  // Custom configuration options
  whiteList: [], // Allowed HTML tags
  stripIgnoreTag: false, // Keep content of ignored tags
  stripIgnoreTagBody: ['script'] // Remove body of ignored tags
}));

Compliance

This implementation helps address:

  • OWASP Top 10 - A03:2021 - Injection
  • Security best practices for REST APIs
  • Input validation and sanitization requirements

Monitoring

Monitor application logs for:

  • Unusual request patterns
  • Rejected malicious input
  • Security events and alerts

Maintenance

  1. Regularly update xss-clean dependency
  2. Review security advisories
  3. Test with new attack vectors
  4. Monitor middleware performance impact