Need

Implementation of proper data validation for HTTP headers

Context

• Usage of TypeScript for static typing and enhanced tooling in Node.js development
• Usage of Express for building web applications and APIs

Description

Non compliant code

        import express from 'express';

const app = express();

app.get('/user', (req, res) => {
  const name = req.headers['name'];
  res.send(`
Welcome, ${name}!
`);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The vulnerability in this code lies in the lack of data validation for the "name" header. The code retrieves the value of the "name" header from the request headers using req.headers['name'] and then directly uses it in the response without any validation or sanitization.

This can lead to a potential Cross-Site Scripting (XSS) attack. An attacker can manipulate the "name" header and inject malicious code, such as JavaScript, which will be executed by the victim's browser when they visit the "/user" route. This can allow the attacker to steal sensitive information, perform actions on behalf of the user, or compromise the integrity of the application.

Additionally, the lack of data validation can also lead to other types of attacks, such as injection attacks, where an attacker can inject potentially dangerous characters into the "name" header, compromising the integrity of the stored information or causing unexpected behavior in the application.

To mitigate this vulnerability, it is recommended to implement server-side validation and sanitization of the data received from the headers. This can include checking the data type, length, and format, as well as applying appropriate sanitization techniques to prevent any malicious code from being executed.

Steps

• Validate the 'name' header on the server side to ensure it contains safe characters
• Implement proper input sanitization to prevent XSS attacks
• Consider using a library or framework that provides built-in validation and sanitization features
• Educate developers about the importance of input validation and security best practices

Compliant code

        import express from 'express';
import { sanitize } from 'express-validator';

const app = express();

app.get('/user', [
  sanitize('name').escape(),
], (req, res) => {
  const name = req.headers['name'];
  res.send(`
Welcome, ${name}!
`);
});

app.listen(3000, () => {
  console.log('Server is running on port 3000');
});
        
        

The fixed code addresses the vulnerability by implementing data validation on the server side.

First, the code imports the necessary modules, including the express module and the sanitize function from the express-validator module.

Next, an instance of the Express application is created using express().

The code defines a route for the /user endpoint using the app.get() method. Inside the route handler, the sanitize function is used to sanitize the value of the name header by calling the escape() method. This ensures that any potentially dangerous characters are properly escaped.

The sanitized value of the name header is then retrieved from req.headers['name'] and stored in the name variable.

Finally, the server responds with a HTML message that includes the sanitized name value, preventing any potential XSS attacks.

The server is set to listen on port 3000 using the app.listen() method.

By implementing data validation and sanitization on the server side, the fixed code mitigates the risk of injecting potentially dangerous characters into application fields.

References

• 195. Lack of data validation - Headers