web-security

Web-Security

Securing web application by preventing cross site scripting (XSS) attack across the browsers.

Copyright (randomrise.com)

  Copyright © http://randomrise.com, as an published work.  All rights reserved.
  This software is the property of randomrise technology
  This software intend to provide open source (FREE TO USE) but any reproduction is not allowed

  @contact: http://randomrise.com 
  @author: ChandraShekher Polimera (linkedin: chandrashekherpolimera | email: chandrashekher@techie.com)
  @github: https://github.com/chandragithub/web-security
  @date: 14/08/2016
  @version: 0.0.4 (beta)

Description:

It prevents cross site scripting (xss) attack across the browsers.

what is a cross site scripting attack (xss)?

Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser

Types of XSS attack?

  -  Persistent XSS
     where the malicious string originates from the website's database.
  
  -  Reflected XSS
     where the malicious string originates from the victim's request.
  
  -  DOM-based XSS
     where the vulnerability is in the client-side code rather than the server-side code.

Prevention Method:

- @param: unSafeHtmlString
  escape(param) {};

- @param: unSafeHtmlString
  strictEscape(param) {};

- @param: safeHtmlString
  reverseEscape(param) {};

- @param: safeHtmlString
  unescape(param) {};

- @param: unSafeHtmlString
  removeUnsafe(param) {};

- safeUrl() {};

- unSafeUrl() {};

- @param: link after base url eg. /home
  unSafeUrl(param) {};

Installation

NodeJs

npm install web-security

API

var xs = require('web-security')

Browser

   <script type="text/javascript" src="web-security.js"> </script>
   <script>
      var xs = webSecurity;
   </script>

Usage.

escape

   var htmlStr = "<script> alert(document.cookie); </script>";
   xs.escape(htmlStr);
   
   // output: "&lt;script&gt alert(document.cookie); &lt/script&gt"

strictEscape

   var htmlStr = "<script> alert(document.cookie); </script>";
   xs.strictEscape(htmlStr);
   
   // output: "&lt;script&gt alert&#40;document.cookie&#41;&#59; &lt/script&gt"

reverseEscape

   var htmlStr = "<script&gt alert(document.cookie)&#59; &lt/script&gt";
   xs.reverseEscape(htmlStr);
   
   // output: "<script> alert(document.cookie); </script>"

unescape

   var htmlStr = "<script> alert(document.cookie); </script>";
   xs.unescape(htmlStr);
   
   // output: "<script> alert(document.cookie); </script>"

removeUnsafe

   var htmlStr = "<script> alert(document.cookie); </script>";
   xs.removeUnsafe(htmlStr);
   
   // output: "script alert(document.cookie); /script"

removeStrictUnsafe

   var htmlStr = "<script> alert(document.cookie); </script>";
   xs.removeStrictUnsafe(htmlStr);
   
   // output: "script alertdocument.cookie /script"

safeUrl

   var browserURL = "http://randomrise.com/?<script> document.cookie </script>";
   xs.safeUrl();
   
   // it will reload/refresh the page without search parameter.

unSafeUrl

   var browserURL = "http://randomrise.com/?<script> document.cookie </script>";
   xs.unSafeUrl();
   
   // it will reload/refresh the page  with search parameter.

safeUrlWithHash

   var browserURL = "http://randomrise.com/?<script> document.cookie </script>";
   xs.unSafeUrl('/home');   // eg. you can keep what ever you want.
    
   // it will reload/refresh the page  with /home after the default url.