HIGH xss cross site scriptingadonisjs

Xss Cross Site Scripting in Adonisjs

Scan for xss cross site scripting in adonisjs

How XSS Cross Site Scripting Manifests in Adonisjs

XSS vulnerabilities in Adonisjs applications typically occur when user-supplied data flows into HTML responses without proper sanitization. In Adonisjs, this commonly happens through template rendering, view helpers, or direct response manipulation.

The most frequent XSS vectors in Adonisjs include:

  • Unescaped template rendering - Using {{ }} instead of {{{ }}} in Edge templates can lead to accidental XSS if developers aren't careful with data binding
  • Dynamic content injection - User-generated content stored in databases and later rendered without sanitization
  • JavaScript payload execution - Attackers injecting malicious scripts through form inputs, URL parameters, or API responses
  • DOM-based XSS - Client-side JavaScript that dynamically inserts user data into the DOM without validation

A classic Adonisjs XSS example:

class PostController {
  async create({ request, view }) {
    const data = request.only(['title', 'content'])
    
    // Vulnerable: direct rendering without sanitization
    return view.render('posts.show', { post: data })
  }
}

In this case, if content contains <script>alert('xss')</script>, it will execute when the view renders. Another common pattern is in API responses:

class UserController {
  async show({ params, response }) {
    const user = await User.find(params.id)
    
    // Vulnerable: returning raw user data
    return response.json(user)
  }
}

If the frontend consumes this API and renders the data without sanitization, XSS becomes possible.

Adonisjs-Specific Detection

Detecting XSS in Adonisjs applications requires both static code analysis and runtime scanning. Here are Adonisjs-specific detection approaches:

Template Analysis - Scan Edge templates for unescaped variables. Look for patterns like:

{{ user.bio }}          // Safe - HTML escaped
{{{ user.bio }}}        // Dangerous - raw output
@json(user.data)       // JSON output, check context

Middleware Inspection - Check for Content Security Policy (CSP) middleware configuration:

// app/Http/kernel.js
const namedMiddleware = {
  csp: 'Adonis/Core/Csp'
}

// app/Http/middleware/Csp.js
export default class Csp {
  async handle({ response }, next) {
    response.header('Content-Security-Policy', "default-src 'self'")
    await next()
  }
}

Input Validation - Review validator schemas for sanitization rules:

// app/Validators/PostValidator.js
import { schema } from '@adonisjs/core/validator'

export default class PostValidator {
  get schema() {
    return schema.create({
      title: schema.string({}, [rules.minLength(1)]),
      content: schema.string({}, [
        rules.minLength(1),
        // Missing sanitization rule!
      ])
    })
  }
}

Automated Scanning with middleBrick - The middleBrick API security scanner specifically tests Adonisjs applications for XSS vulnerabilities. It performs black-box scanning by:

  • Submitting test payloads through form endpoints and API routes
  • Analyzing response content for reflected XSS patterns
  • Checking template rendering contexts
  • Testing stored XSS scenarios by creating test data and verifying persistence
  • Scanning for DOM-based XSS by analyzing client-side JavaScript interactions

middleBrick's 12 security checks include XSS detection as part of its Input Validation category, testing for reflected, stored, and DOM-based XSS patterns specific to Node.js/Express-like frameworks including Adonisjs.

Adonisjs-Specific Remediation

Adonisjs provides several built-in mechanisms for XSS prevention. Here's how to implement them effectively:

Edge Template Escaping - Always use the safe default escaping:

// Always safe - HTML entities escaped
{{ user.bio }}

// Only use raw output when absolutely necessary
{{{ user.bio }}} // Dangerous unless content is trusted

// For JSON data in templates
@json(user.data, { space: 2 })

Content Security Policy - Implement CSP middleware to restrict script sources:

// app/Http/middleware/Csp.js
import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class Csp {
  async handle({ response }, next) {
    response.header('Content-Security-Policy', 
      "default-src 'self'; script-src 'self' 'nonce-{{ csp_nonce }}'; style-src 'self' 'unsafe-inline';")
    await next()
  }
}

Input Sanitization - Use validator sanitization rules:

// app/Validators/PostValidator.js
import { schema } from '@adonisjs/core/validator'
import { sanitize } from 'some-sanitizer'

export default class PostValidator {
  get schema() {
    return schema.create({
      title: schema.string({}, [rules.minLength(1)]),
      content: schema.string({}, [
        rules.minLength(1),
        // Custom sanitization
        rules.custom(async (value) => {
          return sanitize(value, { allowedTags: ['p', 'strong', 'em', 'ul', 'li'] })
        })
      ])
    })
  }
}

Response Headers - Add security headers in middleware:

// app/Http/kernel.js
const globalMiddleware = [
  'Adonis/Core/Csp',
  'App/Middleware/SecurityHeaders'
]

// app/Http/middleware/SecurityHeaders.js
export default class SecurityHeaders {
  async handle({ response }, next) {
    response.header('X-Content-Type-Options', 'nosniff')
    response.header('X-XSS-Protection', '1; mode=block')
    await next()
  }
}

DOM XSS Prevention - Use textContent instead of innerHTML:

// Bad - vulnerable to DOM XSS
const div = document.createElement('div')
div.innerHTML = userBio // XSS possible

// Good - safe
const div = document.createElement('div')
div.textContent = userBio // Automatically escaped

middleBrick Integration - Scan your Adonisjs API endpoints regularly:

// Install CLI
npm install -g middlebrick

// Scan your Adonisjs API
middlebrick scan https://your-app.com/api

// Or integrate into CI/CD
middlebrick scan --fail-below B https://staging.your-app.com

middleBrick's continuous monitoring (Pro plan) can automatically scan your Adonisjs endpoints on a schedule, alerting you to new XSS vulnerabilities before attackers discover them.

Related CWEs: inputValidation

CWE IDNameSeverity
CWE-20Improper Input Validation HIGH
CWE-22Path Traversal HIGH
CWE-74Injection CRITICAL
CWE-77Command Injection CRITICAL
CWE-78OS Command Injection CRITICAL
CWE-79Cross-site Scripting (XSS) HIGH
CWE-89SQL Injection CRITICAL
CWE-90LDAP Injection HIGH
CWE-91XML Injection HIGH
CWE-94Code Injection CRITICAL
Scan for xss cross site scripting in adonisjs Free API security scan

Frequently Asked Questions

How does XSS differ in Adonisjs compared to other Node.js frameworks?
Adonisjs uses Edge templates which have built-in HTML escaping by default, making reflected XSS less common than in raw Express applications. However, Adonisjs developers often use {{{ }}} for convenience, creating stored XSS risks. The framework's validator system also provides sanitization hooks that other frameworks lack natively.
Can middleBrick detect XSS in my Adonisjs API endpoints?
Yes, middleBrick performs black-box scanning of Adonisjs API endpoints, testing for reflected XSS through query parameters, POST data, and headers. It also checks for stored XSS by creating test data and verifying it's properly escaped when retrieved. The scanner runs 12 security checks in parallel and provides specific remediation guidance for XSS vulnerabilities found in Adonisjs applications.

Related Pages

Xss Cross Site Scripting in Adonisjs on AzureUnderstand and remediate XSS in AdonisJS on Azure with escaping patterns, CSP headers, and ARM examples.Xss Cross Site Scripting in Adonisjs on DockerXSS in AdonisJS inside Docker: causes and Docker-specific fixes with secure Dockerfile and docker-compose examples.Xss Cross Site Scripting in Adonisjs on CloudflareXSS in AdonisJS behind Cloudflare: causes, secure output encoding, validation, and Cloudflare configuration examples.Xss Cross Site Scripting in Adonisjs on DigitaloceanUnderstand XSS in AdonisJS on Digitalocean: causes, real code examples, and remediation including CSP, escaping, and midHipaa: Xss Cross Site Scripting in AdonisjsHIPAA-aware guidance for XSS in AdonisJS: practical escaping, validation, CSP, and safe rendering patterns to protect ePGdpr: Xss Cross Site Scripting in AdonisjsGDPR implications of XSS in AdonisJS apps and secure coding fixes with validation, escaping, and DOMPurify examples.Xss Cross Site Scripting in Adonisjs with Jwt TokensUnderstand XSS with JWT tokens in AdonisJS: how token data can lead to injection and concrete code fixes for safe renderXss Cross Site Scripting in Adonisjs with Basic AuthUnderstand XSS in AdonisJS with Basic Auth: causes and remediation with code examples for validation, escaping, and secuIso 27001: Xss Cross Site Scripting in AdonisjsISO 27001 XSS guidance for AdonisJS APIs: risk treatment, secure validation, output encoding, and concrete code examplesXss Cross Site Scripting in Adonisjs with Api KeysUnderstand XSS in AdonisJS APIs using API keys: how authentication alone doesn't prevent injection and concrete validatiXss Cross Site Scripting in Adonisjs with Mutual TlsXSS in AdonisJS with mutual TLS: understanding risk and implementing output encoding, validation, and CSP mitigations.Cis: Xss Cross Site Scripting in AdonisjsCIS XSS guidance for AdonisJS: practical examples of escaping, validation, CSP, and secure rendering to prevent reflecte