After conducting a penetration test using the Burp tool on my node(express)/angular application, I discovered a reflected XSS vulnerability. This vulnerability was specifically identified when making a GET request for static assets (no other vulnerabilities were found during user interactions with the application).
The issue description is as follows:
An arbitrary URL parameter's name is inserted into a JavaScript expression without any quotation marks. The payload 41b68(a)184a9=1 was submitted through this URL parameter and echoed back unmodified in the application's response.
This behavior indicates the ability to inject JavaScript commands into the document. Although an attempt to exploit this vulnerability was unsuccessful, manual examination of the application's behavior is recommended to identify any unusual input validation or obstacles.
To test the vulnerability, an arbitrary URL parameter was passed in the following format:
GET /images/?41b68(a)184a9=1
The response received was:
HTTP/1.1 404 Not Found
X-Content-Security-Policy: connect-src 'self'; default-src 'self'; font-src 'self'; frame-src; img-src 'self' *.google-analytics.com; media-src; object-src; script-src 'self' 'unsafe-eval' *.google-analytics.com; style-src 'self' 'unsafe-inline'
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
X-Download-Options: noopen
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 52
Date: Wed, 08 Oct 2015 10:46:43 GMT
Connection: close
Cannot GET /images/?41b68(a)184a9=1
The application has implemented Content Security Policy (CSP) via Helmet, ensuring protection against exploits. While the app uses HTTPS, it does not require user authentication. CSP restricts requests to the app's domain and Google Analytics.
The pen test report suggests validating input (which is already being done), encoding HTML (handled by Angular by default), and evaluating the behavior of static asset requests within Node/Express.
Exploring solutions to prevent or mitigate this issue for static asset requests:
- Should all application requests be whitelisted under CSP?
- Can domains be whitelisted instead of individual requests?
- Should responses to static asset requests be encoded in some manner?
- Could the vulnerability lie in the code handling static asset responses?
- Is there a possibility of the GET request parameter being evaluated in the application code?
Update
Initial investigations point towards escaping data in URL parameter values and sanitizing input in URLs as part of mitigation strategies. Escaping of the URL is already in place:
curl 'http://mydomain/images/?<script>alert('hello')</script>'
Resulting in:
Cannot GET /images/?<script>alert(hello)</script>
Addition of express-sanitized has also been implemented for further security measures.
However, testing the original scenario still reflects the request parameter back:
curl 'http://mydomain/images/?41b68(a)184a9=1'
Cannot GET /images/?41b68(a)184a9=1
This behavior can be attributed to the absence of HTML insertion in the URL.
All responses to static asset GET requests are handled through
app.use(express.static('static-dir'))express.static utilizes dependencies like serve-static and parseurl.