July 2017
Intermediate to advanced
656 pages
16h 1m
English
book
Node Cookbook - Third Edition
by Matteo Collina, David Mark Clements, Peter Elger, Mathias Buus Madsen
Content preview from Node Cookbook - Third Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Preventing protocol-handler-based XSS
Our server is still vulnerable to XSS injection.
In this scenario, an attacker is going to steal the status (which represents privileged information).
Let's use the following command to create a malicious data collection server:
$ node -e "require('http').createServer((req, res) => { console.log( req.connection.remoteAddress, Buffer(req.url.split('/attack/')[1], 'base64').toString().trim() ) }).listen(3001)"
We're using the -e flag (evaluate) to quickly spin up an HTTP server that logs the user IP address, and stolen status. It's expecting the status to be base64 encoded (this helps to avoid potential errors on the client side).
Now let's start the fixed-app server from the main recipe:
$ cd fixed-app ...