Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,004 --> 00:00:02,610 In this lecture, we're going to use 2 00:00:02,610 --> 00:00:06,689 two more packages to improve our application security, 3 00:00:06,689 --> 00:00:09,823 and this time to perform data sanitization. 4 00:00:11,290 --> 00:00:13,630 So, data sanitization basically means 5 00:00:13,630 --> 00:00:15,560 to clean all the data that comes 6 00:00:15,560 --> 00:00:18,313 into the application from malicious code. 7 00:00:19,228 --> 00:00:22,053 So, code that is trying to attack our application. 8 00:00:22,930 --> 00:00:26,660 In this case, we're trying to defend against two attacks. 9 00:00:26,660 --> 00:00:30,240 So, let's write it down, and we will do it, 10 00:00:30,240 --> 00:00:34,073 let's say, right here after the body parser. 11 00:00:35,039 --> 00:00:37,400 This middleware here reads the data 12 00:00:37,400 --> 00:00:40,140 into request.body, and only after that 13 00:00:40,140 --> 00:00:42,890 we can actually clean that data, right? 14 00:00:42,890 --> 00:00:46,860 This is a perfect place for doing the data sanitization. 15 00:00:46,860 --> 00:00:51,860 So, we will do data sanitization against 16 00:00:55,190 --> 00:01:00,190 NoSQL query injection, and also data sanitization 17 00:01:05,620 --> 00:01:09,560 against cross-site scripting attacks. 18 00:01:09,560 --> 00:01:11,670 And now before doing anything else, 19 00:01:11,670 --> 00:01:14,600 let me show you why it is so extremely important 20 00:01:14,600 --> 00:01:17,733 to defend against this type of attack. 21 00:01:19,010 --> 00:01:22,200 We will now simulate a NoSQL query injection 22 00:01:22,200 --> 00:01:25,620 and I hope that you will be as shocked as I was 23 00:01:25,620 --> 00:01:28,263 when I first discovered how powerful this can be. 24 00:01:29,820 --> 00:01:32,570 Let's now head over to Postman here, 25 00:01:32,570 --> 00:01:34,810 and try to log in as someone, even 26 00:01:34,810 --> 00:01:37,400 without knowing their email address. 27 00:01:37,400 --> 00:01:41,853 All right, so basically, simply giving a password, 28 00:01:42,800 --> 00:01:46,070 let's say this one here, we will be able to log in, 29 00:01:46,070 --> 00:01:48,603 but even without knowing the email address. 30 00:01:49,750 --> 00:01:51,310 Again, we're going to do that by 31 00:01:51,310 --> 00:01:54,480 simulating a NoSQL query injection, 32 00:01:54,480 --> 00:01:57,840 and the easiest way of doing it goes like this. 33 00:01:57,840 --> 00:02:00,530 Instead of specifying a real email, 34 00:02:00,530 --> 00:02:03,933 we specify this query, basically. 35 00:02:06,450 --> 00:02:10,009 We use the MongoDB greater than operator 36 00:02:10,009 --> 00:02:13,770 and set it equal to nothing, okay? 37 00:02:13,770 --> 00:02:15,963 And now, what happens? 38 00:02:17,810 --> 00:02:21,810 Indeed, we are now logged in as the admin. 39 00:02:21,810 --> 00:02:24,673 So you see we even got our access token. 40 00:02:25,590 --> 00:02:28,550 Yeah, we're really now logged in, 41 00:02:28,550 --> 00:02:30,873 and this completely blows my mind, okay? 42 00:02:31,870 --> 00:02:33,940 Again, without knowing the email address, 43 00:02:33,940 --> 00:02:37,390 only the password, we were able to log in. 44 00:02:37,390 --> 00:02:39,540 And believe me, it's not really difficult 45 00:02:39,540 --> 00:02:42,840 to find a bunch of really popular passwords 46 00:02:42,840 --> 00:02:44,693 that are used on every application. 47 00:02:46,198 --> 00:02:49,203 So, this kind of attack is what we need to protect against. 48 00:02:50,670 --> 00:02:54,913 This works basically because this will always be true, 49 00:02:55,940 --> 00:02:58,840 so that's actually - you also see that in Compass. 50 00:02:58,840 --> 00:03:01,590 So I'm copying it, or actually, let's copy all of this. 51 00:03:05,130 --> 00:03:08,313 Then try to filter by this exact same thing. 52 00:03:09,460 --> 00:03:12,660 Now we're just missing the curly braces, 53 00:03:12,660 --> 00:03:15,870 but now we actually get a valid query. 54 00:03:15,870 --> 00:03:20,440 Let's hit Find, and indeed, this returns all of the users. 55 00:03:20,440 --> 00:03:24,033 So basically, all of the users match this query. 56 00:03:25,340 --> 00:03:28,540 Again, it is because this here is always true. 57 00:03:28,540 --> 00:03:31,503 That will then select all the usernames. 58 00:03:33,330 --> 00:03:36,340 That malicious query injection here allowed us 59 00:03:36,340 --> 00:03:40,760 to log in only knowing this password, all right? 60 00:03:40,760 --> 00:03:43,510 So, to protect ourselves against this, 61 00:03:43,510 --> 00:03:45,623 let's install another middleware, 62 00:03:48,560 --> 00:03:52,953 and this one is called express-mongo-sanitize, 63 00:03:59,680 --> 00:04:02,610 and since we're here, let's also go ahead 64 00:04:02,610 --> 00:04:04,900 and install the other one that we're going to need, 65 00:04:04,900 --> 00:04:08,873 but later in this video, which is called simply XSS. 66 00:04:10,486 --> 00:04:14,603 Actually, that was not correct; it's called XSS_clean. 67 00:04:18,529 --> 00:04:22,760 We need to go ahead and uninstall the other one. 68 00:04:22,760 --> 00:04:24,700 NPM uninstall XSS. 69 00:04:29,308 --> 00:04:34,308 Let's take a look at our package.json, and indeed it's gone. 70 00:04:35,280 --> 00:04:38,743 Again, XSS_clean is the one that we want to use. 71 00:04:42,150 --> 00:04:43,840 Anyway, first, let's talk about 72 00:04:43,840 --> 00:04:45,923 the NoSQL query injection again. 73 00:04:48,040 --> 00:04:51,730 All we're going to use is - and of course, 74 00:04:51,730 --> 00:04:54,343 we need to first require it, so 75 00:04:57,862 --> 00:05:02,695 const mongoSanitize equals require express-mongo-sanitize. 76 00:05:08,610 --> 00:05:12,790 Again, VS Code here helps me, and since we're here, 77 00:05:12,790 --> 00:05:14,853 let's also require the next one. 78 00:05:16,120 --> 00:05:18,763 The variable I'm requiring is called XSS, 79 00:05:20,000 --> 00:05:23,947 and then the name of the module is XSS_clean. 80 00:05:27,160 --> 00:05:32,103 So, let's now use this mongoSanitize here - right here. 81 00:05:33,490 --> 00:05:36,450 MongoSanitize is a function that we will call, 82 00:05:36,450 --> 00:05:38,700 which will then return a middleware function, 83 00:05:38,700 --> 00:05:40,110 which we can then use. 84 00:05:40,110 --> 00:05:42,330 This is enough to prevent us against 85 00:05:42,330 --> 00:05:44,820 the kind of attack that we just saw before. 86 00:05:44,820 --> 00:05:46,610 So, what this middleware does is 87 00:05:46,610 --> 00:05:49,900 to look at the request body, the request query string, 88 00:05:49,900 --> 00:05:52,640 and also at Request.Params, and 89 00:05:52,640 --> 00:05:54,190 then it will basically filter out 90 00:05:54,190 --> 00:05:56,363 all of the dollar signs and dots, 91 00:05:57,410 --> 00:06:00,730 because that's how MongoDB operators are written. 92 00:06:00,730 --> 00:06:03,140 By removing that, well, these operators 93 00:06:03,140 --> 00:06:04,833 are then no longer going to work. 94 00:06:05,830 --> 00:06:07,123 So, let's try that again. 95 00:06:08,100 --> 00:06:12,003 Again, it will remove all of these dollar signs. 96 00:06:13,712 --> 00:06:16,080 So if I do this now, then indeed, 97 00:06:16,080 --> 00:06:17,930 we get this error, and we can 98 00:06:17,930 --> 00:06:20,270 no longer use this trick here, 99 00:06:20,270 --> 00:06:23,900 this query injection attack, to log in. 100 00:06:23,900 --> 00:06:26,720 So, that fixes the first problem, 101 00:06:26,720 --> 00:06:28,960 but now let's use that other middleware 102 00:06:28,960 --> 00:06:31,700 that we also just required before. 103 00:06:31,700 --> 00:06:36,700 So, app.use and XSS, all right? 104 00:06:37,590 --> 00:06:39,870 This will then clean any user input 105 00:06:39,870 --> 00:06:42,283 from malicious HTML code, basically. 106 00:06:43,210 --> 00:06:45,780 Imagine that an attacker would try to insert 107 00:06:45,780 --> 00:06:48,180 some malicious HTML code with some 108 00:06:48,180 --> 00:06:50,620 JavaScript code attached to it. 109 00:06:50,620 --> 00:06:54,090 If that would then later be injected into our HTML site, 110 00:06:54,090 --> 00:06:56,423 it could really create some damage then. 111 00:06:57,300 --> 00:06:59,710 Using this middleware, we prevent that 112 00:06:59,710 --> 00:07:03,063 basically by converting all these HTML symbols. 113 00:07:04,380 --> 00:07:07,040 As I said before, the Mongoose validation itself 114 00:07:07,040 --> 00:07:10,937 is actually already a very good protection against XSS, 115 00:07:12,230 --> 00:07:14,170 because it won't really allow any 116 00:07:14,170 --> 00:07:16,730 crazy stuff to go into our database, 117 00:07:16,730 --> 00:07:18,613 as long as we use it correctly. 118 00:07:19,480 --> 00:07:22,320 Whenever you can, just add some validation to 119 00:07:22,320 --> 00:07:25,037 your Mongoose schemas, and that should mostly protect you 120 00:07:25,037 --> 00:07:29,290 you from cross-site scripting, at least on the server side. 121 00:07:29,290 --> 00:07:33,083 Let's just very quickly test this middleware here, as well. 122 00:07:34,990 --> 00:07:38,333 What I'm going to do is to simply create a new user, 123 00:07:39,960 --> 00:07:43,573 and let's call it "tester" here or something like that. 124 00:07:44,500 --> 00:07:47,420 The password is right, and here, 125 00:07:47,420 --> 00:07:50,403 in the name, let's add some HTML code. 126 00:07:51,480 --> 00:07:56,480 So, div with the id of bad-code. 127 00:08:00,470 --> 00:08:02,503 All right, let's try that now. 128 00:08:06,790 --> 00:08:10,310 You see that the XSS module that we used 129 00:08:10,310 --> 00:08:13,263 actually converted these HTML symbols here, 130 00:08:14,190 --> 00:08:19,163 mostly this one, into this HTML entity here. 131 00:08:21,440 --> 00:08:24,130 Let's just quickly delete this guy. 132 00:08:24,130 --> 00:08:27,593 We don't need him at all. (Laughs) 133 00:08:29,556 --> 00:08:33,299 That is our quick and easy protection against 134 00:08:33,299 --> 00:08:36,293 some of these attacks using data sanitization. 135 00:08:37,280 --> 00:08:40,460 Also remember that the validator function library 136 00:08:40,460 --> 00:08:42,770 that we used before also has a couple of 137 00:08:42,770 --> 00:08:45,123 cool sanitization functions in it. 138 00:08:45,980 --> 00:08:49,820 We could also manually build some middleware using these, 139 00:08:49,820 --> 00:08:51,820 but again, that's not really necessary, 140 00:08:51,820 --> 00:08:55,890 because Mongoose already enforces a strict schema. 141 00:08:55,890 --> 00:08:58,250 Then, if it encounters something weird, 142 00:08:58,250 --> 00:09:00,870 it will then throw an error, and yeah, 143 00:09:00,870 --> 00:09:03,290 that's already a pretty good protection. 144 00:09:03,290 --> 00:09:06,240 So, we're really almost done with the security part. 145 00:09:06,240 --> 00:09:07,740 All we need to do in the next video 146 00:09:07,740 --> 00:09:10,163 is to prevent Parameter Pollution. 11795