How to fix Reflected XSS vulnerability in my node.js application

Issue

I am writing the backend of an application using express in node.js. Checkmarx highlights this issue: Improper Neutralization of Input During Web Page Generation

The line of code highlighted: const token = req.params.company2tftoken;

What can I do to fix this? Any article will also work.

Solution

Here’s a quick intro to what Reflected XSS is and what harm this vulnerability can do to your Node app

In general, one of the ways to prevent XSS is to output encode/escape. Depending on the contextual output (URL, javascript, HTML) where req.params.company2tftoken might end, will determine what function to use. I’m assuming URL so you may try with URL encoding using the querystring.escape method

const token = querystring.escape(req.params.company2tftoken);

Answered By – securecodeninja

Answer Checked By – David Marino (AngularFixing Volunteer)

Leave a Reply

Your email address will not be published.