Insecure service configuration - Dart

Insecure service configuration - Dart

Need

Secure service configuration to prevent XSS attacks

Context

  • Usage of Dart for building cross-platform applications
  • Usage of Shelf for managing and organizing data in a Node.js application

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

void main() {
  var handler = const shelf.Pipeline().addMiddleware(shelf.logRequests())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080).then((server) {
    print('Serving at http://${server.address.host}:${server.port}');
  });
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}

In the above code, we are using the shelf framework to create a server that listens to requests on localhost at port 8080. The _echoRequest function is used as a handler for all incoming requests.

The vulnerability lies in the fact that there is no validation or sanitization of the incoming requests. This means that if the incoming request contains a script (JavaScript for example), it will be echoed back in the response.

This makes the server susceptible to Cross-Site Scripting (XSS) attacks. An attacker can send a request containing a script, and when the server echoes back the script in the response, it can be executed in the user's browser, leading to potential data theft or other malicious activity.

To mitigate this vulnerability, we need to add request validation in the _echoRequest function to sanitize the incoming requests and prevent any potential XSS attacks.

Steps

  • Identify the server configuration files in your project.
  • Locate the section where requestValidationMode is to be assigned.
  • Set the requestValidationMode to a secure setting. This setting will validate input from all requests to prevent XSS attacks.
  • Ensure that the setting is applied globally across all pages and not just specific ones.
  • Test the application to ensure that the new setting does not break any functionality.
  • Regularly review and update the server configuration to maintain security.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;
import 'package:shelf/shelf_io.dart' as io;
import 'package:shelf_xss_filter/shelf_xss_filter.dart';

void main() {
  var handler = const shelf.Pipeline()
      .addMiddleware(shelf.logRequests())
      .addMiddleware(xssFilter())
      .addHandler(_echoRequest);

  io.serve(handler, 'localhost', 8080).then((server) {
    print('Serving at http://${server.address.host}:${server.port}');
  });
}

shelf.Response _echoRequest(shelf.Request request) {
  return shelf.Response.ok('Request for "${request.url}"');
}

The original code was vulnerable to Cross-Site Scripting (XSS) attacks because it did not validate or sanitize input from requests. This is a common security issue where an attacker can inject malicious scripts into web pages viewed by other users.

To fix this vulnerability, we added a middleware to the server pipeline that filters out potential XSS attacks. This is done using the shelf_xss_filter package, which provides a middleware function xssFilter(). This function sanitizes any input from requests to prevent XSS attacks.

The xssFilter() middleware is added to the pipeline using the addMiddleware() function. This ensures that every request goes through the XSS filter before it is handled by the _echoRequest function.

After applying this fix, the server will sanitize all incoming requests to prevent XSS attacks. This does not affect the functionality of the server, but it significantly improves its security.

References