Protect Text Input from XML External Entity (XXE) Attacks in Node.js
It can be very easy for cyber criminals to exploit poorly designed XML parsers, using what is called an XXE (XML External Entity) attack. This form of attack effectively tricks your XML processor into allowing an external user/application to interfere with your data processing. The implications of an attack like this are obviously dire — so early detection is key. Cloudmersive’s Security Threat Detection API makes short work of identifying this form of attack. Specifically, the /security/threat-detection/content/xxe/detect/xml/string will take a close look at an XML text input and let you know succinctly if the detection attempt was successful: whether the text contained an XXE attack (true) or did not contain one (false). Let’s look at how you can leverage this API in Node.js.
At the outset you’ll need to use the below command in installing the SDK for this API to work:
npm install cloudmersive-security-api-client --saveOr, you may copy in the below snippet for your package.json, if relevant:
"dependencies": {
"cloudmersive-security-api-client": "^1.2.0"
}After that, it’s smooth sailing — just copy & paste the below function, paying close attention to syntax and documentation notes, and your function will return a result in the format indicated in figure 1.
var CloudmersiveSecurityApiClient = require('cloudmersive-security-api-client');
var defaultClient = CloudmersiveSecurityApiClient.ApiClient.instance;// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';var apiInstance = new CloudmersiveSecurityApiClient.ContentThreatDetectionApi();var value = "value_example"; // String | User-facing text input.var callback = function(error, data, response) {
if (error) {
console.error(error);
} else {
console.log('API called successfully. Returned data: ' + data);
}
};
apiInstance.contentThreatDetectionCheckXxe(value, callback);
