How to address Cross-Site Request Forgery (CSRF) , XSS,code injection attack for rest

52 views
Skip to first unread message

Dib Nanda

unread,
Mar 14, 2017, 10:48:02 PM3/14/17
to API Craft
How to design a rest API to address the CSRF,XSS attack.
in this case consumer of the rest api is a PORTAL APP,to render the data on the UI,portal app makes api call to get the data from backend.
The data may have any [script tag,alert ] injected by some illegal source, how to bypass those from REST API response.


Any Suggestion will be helpful.

Lukas Rosenstock

unread,
Mar 22, 2017, 7:56:05 AM3/22/17
to api-...@googlegroups.com
Hello Dib Nanda!
If I understood your question correctly you are receiving some data from a backend which could contain user-generated HTML code which may have scripts in it.

The easiest fix, of course, would be to not allow any HTML. You can escape all HTML so it is interpreted as text (e.g. turning < > into &lt; &gt;), which is something most programming languages and/or frameworks should do for you.

If you need to accept some HTML (e.g. formatting) you could use custom code or a library that parses the HTML and removes only script tags.

Any input sanitization like this should happen on the server side.

Hope this helps.

Lukas Rosenstock



--
You received this message because you are subscribed to the Google Groups "API Craft" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-craft+...@googlegroups.com.
Visit this group at https://groups.google.com/group/api-craft.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages