Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mitigate against reflected XSS attacks #174

Merged
merged 1 commit into from Feb 27, 2017

Conversation

ssbrewster
Copy link
Contributor

Mitigate against reflected XSS attacks in production by returning
the custom 404 response object instead of express' default 404
response

A reflected XSS vulnerability was discovered using the Burp pen test tool and successfully tested
by passing an arbitrary url parameter GET /images/?41b68(a)184a9=1

This input was echoed unmodified in the application's response meaning that it is possible to inject JavaScript commands into the returned document

This fixes #132

Mitigate against reflected XSS attacks in production by returning
the custom 404 response object instead of express' default 404
response

This was discovered using the Burp pen test tool and successfully tested
by passing an arbitrary url parameter GET /images/?41b68(a)184a9=1
@johnpapa johnpapa merged commit 72ec2e2 into johnpapa:master Feb 27, 2017
@johnpapa
Copy link
Owner

thx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Potential security issue
2 participants