DEV Community: Umapathi The latest articles on DEV Community by Umapathi (@umapathik). https://dev.to/umapathik https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F771449%2F9643a0b0-ee8e-47e0-b6ed-f478c736f5e8.png DEV Community: Umapathi https://dev.to/umapathik en Defending Against Cross-Site Scripting (XSS) Best Practices for Web Security Umapathi Sun, 04 Feb 2024 17:17:24 +0000 https://dev.to/umapathik/defending-against-cross-site-scripting-xss-best-practices-for-web-security-5bhk https://dev.to/umapathik/defending-against-cross-site-scripting-xss-best-practices-for-web-security-5bhk <h2> What is Cross-Site Scripting ⁉️ </h2> <ul> <li><p>Cross-Site Scripting (XSS) is a type of **security vulnerability **that occurs when an application includes untrusted data in a web page. </p></li> <li><p>Attackers can inject malicious scripts into web pages that are then viewed by other users.</p></li> <li><p>The injected scripts can be written in languages like JavaScript and are executed in the context of the victim's browser.</p></li> <li><p>XSS can lead to various malicious activities, such as stealing user sessions, defacing websites, or redirecting users to phishing sites.</p></li> </ul> <h2> There are three main types of XSS attacks: </h2> <ol> <li><strong>Stored XSS (Persistent XSS):</strong></li> </ol> <ul> <li>Malicious scripts are permanently stored on the target server, typically in a database.</li> <li>When a user visits a particular page, the script is retrieved from the server and executed in their browser.</li> </ul> <p>Example (Node.js with Express):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// Assuming userInput is stored in a database</span> <span class="kd">const</span> <span class="nx">userInput</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;script&gt;alert('XSS Attack!')&lt;/script&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profile</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`&lt;p&gt;</span><span class="p">${</span><span class="nx">userInput</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <ol> <li> <strong>Reflected XSS:</strong> <ul> <li>Malicious scripts are embedded in URLs or other user inputs and then reflected back to the user.</li> <li>The victim is tricked into clicking on a crafted link that executes the script in their browser.</li> </ul> </li> </ol> <p>Example (Node.js with Express):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/search</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userInput</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">q</span><span class="p">;</span> <span class="c1">// user input from the query parameter</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="s2">`&lt;p&gt;Search results for: </span><span class="p">${</span><span class="nx">userInput</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>If a user enters a script in the search query, it gets reflected back in the response.</p> <ol> <li> <strong>DOM-based XSS:</strong> <ul> <li>Malicious scripts manipulate the Document Object Model (DOM) of a web page.</li> <li>The attack occurs on the client-side, and the malicious script is often part of the URL or user input.</li> </ul> </li> </ol> <p>Example (JavaScript in a client-side script):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code> <span class="c">&lt;!-- Vulnerable HTML --&gt;</span> <span class="nt">&lt;script&gt;</span> <span class="kd">const</span> <span class="nx">userInput</span> <span class="o">=</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hash</span><span class="p">.</span><span class="nf">substring</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="c1">// get user input from the URL fragment</span> <span class="nb">document</span><span class="p">.</span><span class="nx">write</span><span class="p">(</span><span class="s2">`&lt;p&gt;</span><span class="p">${</span><span class="nx">userInput</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span><span class="p">);</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <h3> Prevention and Mitigation: </h3> <ol> <li> <p><strong>Input Validation and Sanitization:</strong></p> <ul> <li>Validate and sanitize user input on both the client and server sides.</li> <li>Use libraries like <code>express-validator</code> (for Node.js) or <code>DOMPurify</code> (for client-side) to sanitize input.</li> </ul> </li> <li> <p><strong>Content Security Policy (CSP):</strong></p> <ul> <li>Implement and configure Content Security Policy headers to restrict the sources from which the browser can load scripts.</li> </ul> </li> <li> <p><strong>Encode User Input:</strong></p> <ul> <li>Encode user input before rendering it on the page to prevent the browser from interpreting it as executable code.</li> </ul> </li> </ol> <p>Example (JavaScript in a client-side script):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="kd">const</span> <span class="nx">userInput</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">&lt;script&gt;alert('XSS Attack!')&lt;/script&gt;</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">encodedInput</span> <span class="o">=</span> <span class="nf">encodeURIComponent</span><span class="p">(</span><span class="nx">userInput</span><span class="p">);</span> <span class="nb">document</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="s2">`&lt;p&gt;</span><span class="p">${</span><span class="nx">encodedInput</span><span class="p">}</span><span class="s2">&lt;/p&gt;`</span><span class="p">);</span> </code></pre> </div> <ol> <li> <strong>Use Framework Features:</strong> <ul> <li>Many modern web frameworks provide built-in features to mitigate XSS. For example, React uses JSX, which inherently escapes dynamic content.</li> </ul> </li> </ol> <p>Remember that a combination of these measures is usually the most effective way to prevent XSS attacks. Regular security audits and staying informed about emerging threats are also crucial for maintaining a secure web application.</p> javascript node security cybersecurity React JS Basics for Beginners Umapathi Thu, 09 Dec 2021 12:39:29 +0000 https://dev.to/umapathik/react-js-basics-for-beginners-294i https://dev.to/umapathik/react-js-basics-for-beginners-294i <h3> what is React JS </h3> <p>A JavaScript library for building user interfaces</p> <h2> Understanding the index.js </h2> <h3> 1. Rendering simple JSX elements in react </h3> <p>→index.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span> <span class="k">import</span> <span class="nx">ReactDom</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react-dom</span><span class="dl">"</span> <span class="nx">ReactDom</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>eat<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>sleep<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>code<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="p">,</span><span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">root</span><span class="dl">"</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <p>→index.html</p> <p>I linked the JS and CSS here inside the div tag with id "root" all of our React app renders<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;html&gt;</span> <span class="nt">&lt;head&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="na">href=</span><span class="s">"style.css"</span><span class="nt">&gt;</span> <span class="nt">&lt;/head&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">id=</span><span class="s">"root"</span><span class="nt">&gt;&lt;/div&gt;</span> <span class="nt">&lt;script </span><span class="na">src=</span><span class="s">"index.pack.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;/body&gt;</span> <span class="nt">&lt;/html&gt;</span> </code></pre> </div> <h3> 2 Rendering simple JSX elements using Function </h3> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span> <span class="k">import</span> <span class="nx">ReactDom</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react-dom</span><span class="dl">"</span> <span class="c1">//function</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(&lt;</span><span class="nt">ul</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>eat<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>sleep<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>code<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;)</span> <span class="p">}</span> <span class="nx">ReactDom</span><span class="p">.</span><span class="nf">render</span><span class="p">(&lt;</span><span class="nc">App</span> <span class="p">/&gt;,</span><span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">root</span><span class="dl">"</span><span class="p">))</span> </code></pre> </div> <h3> 3. App.js </h3> <p>Here we are going to use create App.js and render it into index.js</p> <p>let's create a new file → App.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">(){</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>Umapathi K.<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span>I am the student who loves...<span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">ol</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>Running<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>Coding<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;</span>Pubg<span class="p">&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">ol</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;)</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">App</span> </code></pre> </div> <p>here "export default" is used <strong>export</strong> the App.js file so, that we can use it anywhere in the directory </p> <p>→index.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span> <span class="k">import</span> <span class="nx">ReactDom</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react-dom</span><span class="dl">"</span> <span class="k">import</span> <span class="nx">App</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./App</span><span class="dl">"</span> <span class="nx">ReactDom</span><span class="p">.</span><span class="nf">render</span><span class="p">(&lt;</span><span class="nc">App</span> <span class="p">/&gt;,</span><span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">"</span><span class="s2">root</span><span class="dl">"</span><span class="p">))</span> </code></pre> </div> <h3> 4 Organising the project </h3> <p>for now, our React project's structure is like this<br> --📂public<br> -index.html<br> --📂src<br> -style.css<br> -index.js<br> -App.js</p> <h3> 5 simple Twitter app </h3> <h4> Steps : </h4> <ol> <li>open a new stackblitz react project</li> </ol> <blockquote> <p>The best online code editor for React JS is stackblitz, It is very efficient for learning and building small projects, So, I recommend creating account on stackblitz for learning React JS<br> <iframe src="https://stackblitz.com/edit/react?" width="100%" height="500"> </iframe> </p> </blockquote> <p>2.create "components" 📂 folder inside src</p> <p>3.create "Tweet.js" inside the components folder</p> <p>4.pass props inside App.js</p> <p>props is used to change the component's content <strong>dynamically</strong> instead of <strong>hard-coding</strong> it, it enhances the <strong>code re-usability</strong></p> <p>→App.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Tweet</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">./components/Tweet</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">(){</span> <span class="k">return</span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"tweet"</span><span class="p">&gt;</span> // class is keyword in js so we use className <span class="p">&lt;</span><span class="nc">Tweet</span> <span class="na">name</span><span class="p">=</span><span class="s">"Umapathi"</span> <span class="na">content</span><span class="p">=</span><span class="s">"coding with 2gb ram😁"</span> <span class="na">likes</span><span class="p">=</span><span class="s">"2"</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Tweet</span> <span class="na">name</span><span class="p">=</span><span class="s">"madhavan"</span> <span class="na">content</span><span class="p">=</span><span class="s">"finished my coding schedule😴"</span> <span class="na">likes</span><span class="p">=</span><span class="s">"15667"</span> <span class="p">/&gt;</span> <span class="p">&lt;</span><span class="nc">Tweet</span> <span class="na">name</span><span class="p">=</span><span class="s">"Ajay"</span> <span class="na">content</span><span class="p">=</span><span class="s">"I should have started learning recat early 😣"</span> <span class="na">likes</span><span class="p">=</span><span class="s">"2487"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">App</span><span class="p">;</span> </code></pre> </div> <p>→components</p> <p>→Tweet.js<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">Tweet</span><span class="p">(</span><span class="nx">props</span><span class="p">){</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">props</span><span class="p">.</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">props</span><span class="p">.</span><span class="nx">content</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h3</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">props</span><span class="p">.</span><span class="nx">likes</span><span class="si">}</span> likes<span class="p">&lt;/</span><span class="nt">h3</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">Tweet</span><span class="p">;</span> </code></pre> </div> <p>Alternatively, we can also code like below which is called "destructuring", instead of writing props. Something every time<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="k">import</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">Tweet</span><span class="p">({</span><span class="nx">name</span><span class="p">,</span><span class="nx">content</span><span class="p">,</span><span class="nx">likes</span><span class="p">}){</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">name</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">p</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">content</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">p</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h3</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">likes</span><span class="si">}</span> likes<span class="p">&lt;/</span><span class="nt">h3</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">Tweet</span><span class="p">;</span> </code></pre> </div> <p>I hoped you understand the basic use case of React 😉</p> <p>⚛<a href="https://stackblitz.com/edit/react-setstz?devtoolsheight=33&amp;embed=1&amp;file=src/App.js">simple Twitter app demo<br> </a></p> beginners react tutorial javascript