Research and implementation of Node.js-based defense against XSS and CSRF

Research and implementation of Node.js-based defense against XSS and CSRF

Dengfeng WeiFengyi Li 

Computer Science College, Yangtze University, Jingzhou 434023, China

Corresponding Author Email:
31 March 2017
| Citation



Node.js is a extensively applied powerful, lightweight technology. Like other technologies, Node.js also faces a string of security problems resulted from improper coding by developers at the time of programming. The Web applications developed and deployed on Node.js are not provided with the defense against XSS and CSRF, two of the most popular attacks on Web applications. The existing defense against CSRF might fail due to the lack of integration between XSS and CSRF prevention. Against this backdrop, this paper studies Node.js related technology, network security technology and XSS and CSRF security vulnerabilities, and develops a system to defend against XSS and CSRF simultaneously on the Node.js platform. The defense system offers XSS and CSRF prevention services to Web applications developed on Node.js.


Storage-type XSS, Motion Detection, Attack Vectors, Vulnerability Scanning.

1. Introduction
2. Attack Principle
3. Design and Implementation of Defense Module
4. System Testing
5. Conclusions

[1] Cantelon M., Harter M., Holowaychuk T.J., Rajlich N. (2014). Node. js in Action. Manning.

[2] Klein A. (2005). DOM based cross site scripting or XSS of the third kind, Web Application Security Consortium, Articles 4, pp. 365-372.

[3] Weinberger J., Saxena P., Akhawe D., Finifter M., Shin R., Song D. (2011). A systematic analysis of XSS sanitization in web application frameworks, European Symposium on Research in Computer Security, Springer, Berlin, Heidelberg, pp. 150-171.

[4] Bogdanov S., Patruno A., Archibald A.M., Bassa C., Hessels J.W., Janssen G.H., Stappers B.W. (2014). Xray observations of XSS J12270-4859 in a new low state: A transformation to a disk-free rotation-powered pulsar binary, The Astrophysical Journal, Vol. 789, No. 1, pp. 40.

[5] Papitto A., Torres D.F., Li J. (2014). A propeller scenario for the gamma-ray emission of low-mass Xray binaries: the case of XSS J12270− 4859, Monthly Notices of the Royal Astronomical Society, Vol. 438, No. 3, pp. 2105-2116.

[6] Roy J., Bhattacharyya B., Ray P.S. (2014). GMRT discovery of a 1.69 ms radio pulsar associated with XSS J12270-4859, The Astronomer's Telegram, pp.5890.

[7] De Martino D., Belloni T., Falanga M., Papitto A., Motta S., Pellizzoni A., Mouchet M. (2013). X-ray follow-ups of XSS: a low-mass X-ray binary with gamma-ray Fermi-LAT association, Astronomy & Astrophysics, Vol. 550, A89.

[8] Stock B., Johns M. (2016). Client-side XSS in theorie und praxis, Datenschutz und Datensicherheit-DuD, Vol. 40, No. 11, pp. 707-712.

[9] Wu J.D., Tseng Y.M., Huang S.S. (2016). Leakageresilient ID‐based signature scheme in the generic bilinear group model, Security and Communication Networks, Vol. 9, No. 17, pp. 3987-4001.

[10] Li S. (2016). Detection of web application vulnerabilities accelerated by GPU.

[11] Lin A.W., BarcelóP. (2016). String solving with word equations and transducers: towards a logic for analysing mutation XSS, ACM SIGPLAN Notices, Vol. 51, No. 1, pp. 123-136.

[12] Cui B., Wei Y., Shan S., Ma J. (2016). The generation of XSS attacks developing in the detect detection, International Conference on Broadband and Wireless Computing, Communication and Applications, Springer International Publishing, pp. 353-361.

[13] Yi L.I.U., Junbin H.O.N.G. (2016). A dynamic detection method based on Web crawler and page code behavior for XSS vulnerability, Telecommunications Science, Vol. 32, No. 3.

[14] Rao K.S., Jain N., Limaje N., Gupta A., Jain M., Menezes B. (2016). Two for the price of one: A combined browser defense against XSS and clickjacking, Computing, Networking and Communications (ICNC), International Conference IEEE, pp. 1-6.

[15] Bazzoli E., Criscione C., Maggi F., Zanero S. (2016). XSS PEEKER: Dissecting the XSS exploitation techniques and fuzzing mechanisms of Blackbox Web application scanners, IFIP International Information Security and Privacy Conference, Springer International Publishing, pp. 243-258.

[16] Wei D. (2016). Network traffic prediction based on RBF neural network optimized by improved gravitation search algorithm, Neural Computing and Applications, pp. 1-10.

[17] Ra H.K., Yoon H.J., Salekin A., Lee J.H., Stankovic J.A., Son S.H. (2016). Poster: software architecture for efficiently designing cloud applications using node. js, Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services Companion, ACM, pp. 72-72.

[18] Sen K., Kalasapur S., Brutch T., Gibbs S. (2013). Jalangi: a selective record-replay and dynamic analysis framework for JavaScript, Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, ACM, pp. 488-498.

[19] Chaniotis I.K., Kyriakou K.I.D., Tselikas N.D. (2015). Is Node. js a viable option for building modern web applications: a performance evaluation study, Computing, Vol. 97, No. 10, pp. 1023-1044.

[20] Bates D., Barth A., Jackson C. (2010). Regular expressions considered harmful in client-side XSS

filters, International Conference on World Wide Web, ACM, pp. 91-100.

[21] Gupta S., Gupta B.B. (2015). Cross-site scripting (XSS) attacks and defense mechanisms: classification and state-of-the-art, International Journal of System Assurance Engineering & Management, pp. 1-19.

[22] Hydara I., Sultan A.B.M., Zulzalil H., Admodisastro N. (2015). Current state of research on cross-site scripting (XSS) – a systematic literature review, Information & Software Technology, Vol. 58, pp. 170-186.