Open in app

Sign in

Write

Sign in

Protect Text Inputs from XXE Attacks in Node.JS

Cloudmersive
2 min readApr 28, 2021

If you have a web application that utilizes a parser to interpret XML data, then you are inherently at risk to an XML External Entity (XXE) attack. These attacks exploit parser vulnerabilities that enable the attacker to direct the parser to access a malicious resource which could be a local or remote file; the potential result of this exploitation includes denial of service and exposure of sensitive data. While these attacks are fairly common, not all companies have a plan to protect against them; utilizing the following API in Node.JS will cover that protection gap by automatically detecting XXE attacks from text input.

To use the API, we first need to run this command to install the SDK:

npm install cloudmersive-validate-api-client --save

Or, you can add this snippet to your package.json:

"dependencies": {
    "cloudmersive-validate-api-client": "^1.3.9"
  }

Once the installation is complete, we can call the function with the following code:

var CloudmersiveValidateApiClient = require('cloudmersive-validate-api-client');
var defaultClient = CloudmersiveValidateApiClient.ApiClient.instance;// Configure API key authorization: Apikey
var Apikey = defaultClient.authentications['Apikey'];
Apikey.apiKey = 'YOUR API KEY';var apiInstance = new CloudmersiveValidateApiClient.TextInputApi();var value = "value_example"; // String | User-facing text input.var opts = { 
  'allowInternetUrls': true, // Boolean | Optional: Set to true to allow Internet-based dependency URLs for DTDs and other XML External Entitites, set to false to block.  Default is false.
  'knownSafeUrls': "knownSafeUrls_example", // String | Optional: Comma separated list of fully-qualified URLs that will automatically be considered safe.
  'knownUnsafeUrls': "knownUnsafeUrls_example" // String | Optional: Comma separated list of fully-qualified URLs that will automatically be considered unsafe.
};var callback = function(error, data, response) {
  if (error) {
    console.error(error);
  } else {
    console.log('API called successfully. Returned data: ' + data);
  }
};
apiInstance.textInputCheckXxe(value, opts, callback);

Beyond your user-facing text input and API key, which are required, you have the option to block internet URLs (DTDs and other external entities) and create known safe and unsafe URL lists to tailor the API to your needs.

API
Nodejs
Xxe
Xml
Tutorial

--

--

Cloudmersive

Written by Cloudmersive

580 Followers

There’s an API for that. Cloudmersive is a leader in Highly Scalable Cloud APIs.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams