Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,004 --> 00:00:02,610
In this lecture, we're going to use
2
00:00:02,610 --> 00:00:06,689
two more packages to improve our application security,
3
00:00:06,689 --> 00:00:09,823
and this time to perform data sanitization.
4
00:00:11,290 --> 00:00:13,630
So, data sanitization basically means
5
00:00:13,630 --> 00:00:15,560
to clean all the data that comes
6
00:00:15,560 --> 00:00:18,313
into the application from malicious code.
7
00:00:19,228 --> 00:00:22,053
So, code that is trying to attack our application.
8
00:00:22,930 --> 00:00:26,660
In this case, we're trying to defend against two attacks.
9
00:00:26,660 --> 00:00:30,240
So, let's write it down, and we will do it,
10
00:00:30,240 --> 00:00:34,073
let's say, right here after the body parser.
11
00:00:35,039 --> 00:00:37,400
This middleware here reads the data
12
00:00:37,400 --> 00:00:40,140
into request.body, and only after that
13
00:00:40,140 --> 00:00:42,890
we can actually clean that data, right?
14
00:00:42,890 --> 00:00:46,860
This is a perfect place for doing the data sanitization.
15
00:00:46,860 --> 00:00:51,860
So, we will do data sanitization against
16
00:00:55,190 --> 00:01:00,190
NoSQL query injection, and also data sanitization
17
00:01:05,620 --> 00:01:09,560
against cross-site scripting attacks.
18
00:01:09,560 --> 00:01:11,670
And now before doing anything else,
19
00:01:11,670 --> 00:01:14,600
let me show you why it is so extremely important
20
00:01:14,600 --> 00:01:17,733
to defend against this type of attack.
21
00:01:19,010 --> 00:01:22,200
We will now simulate a NoSQL query injection
22
00:01:22,200 --> 00:01:25,620
and I hope that you will be as shocked as I was
23
00:01:25,620 --> 00:01:28,263
when I first discovered how powerful this can be.
24
00:01:29,820 --> 00:01:32,570
Let's now head over to Postman here,
25
00:01:32,570 --> 00:01:34,810
and try to log in as someone, even
26
00:01:34,810 --> 00:01:37,400
without knowing their email address.
27
00:01:37,400 --> 00:01:41,853
All right, so basically, simply giving a password,
28
00:01:42,800 --> 00:01:46,070
let's say this one here, we will be able to log in,
29
00:01:46,070 --> 00:01:48,603
but even without knowing the email address.
30
00:01:49,750 --> 00:01:51,310
Again, we're going to do that by
31
00:01:51,310 --> 00:01:54,480
simulating a NoSQL query injection,
32
00:01:54,480 --> 00:01:57,840
and the easiest way of doing it goes like this.
33
00:01:57,840 --> 00:02:00,530
Instead of specifying a real email,
34
00:02:00,530 --> 00:02:03,933
we specify this query, basically.
35
00:02:06,450 --> 00:02:10,009
We use the MongoDB greater than operator
36
00:02:10,009 --> 00:02:13,770
and set it equal to nothing, okay?
37
00:02:13,770 --> 00:02:15,963
And now, what happens?
38
00:02:17,810 --> 00:02:21,810
Indeed, we are now logged in as the admin.
39
00:02:21,810 --> 00:02:24,673
So you see we even got our access token.
40
00:02:25,590 --> 00:02:28,550
Yeah, we're really now logged in,
41
00:02:28,550 --> 00:02:30,873
and this completely blows my mind, okay?
42
00:02:31,870 --> 00:02:33,940
Again, without knowing the email address,
43
00:02:33,940 --> 00:02:37,390
only the password, we were able to log in.
44
00:02:37,390 --> 00:02:39,540
And believe me, it's not really difficult
45
00:02:39,540 --> 00:02:42,840
to find a bunch of really popular passwords
46
00:02:42,840 --> 00:02:44,693
that are used on every application.
47
00:02:46,198 --> 00:02:49,203
So, this kind of attack is what we need to protect against.
48
00:02:50,670 --> 00:02:54,913
This works basically because this will always be true,
49
00:02:55,940 --> 00:02:58,840
so that's actually - you also see that in Compass.
50
00:02:58,840 --> 00:03:01,590
So I'm copying it, or actually, let's copy all of this.
51
00:03:05,130 --> 00:03:08,313
Then try to filter by this exact same thing.
52
00:03:09,460 --> 00:03:12,660
Now we're just missing the curly braces,
53
00:03:12,660 --> 00:03:15,870
but now we actually get a valid query.
54
00:03:15,870 --> 00:03:20,440
Let's hit Find, and indeed, this returns all of the users.
55
00:03:20,440 --> 00:03:24,033
So basically, all of the users match this query.
56
00:03:25,340 --> 00:03:28,540
Again, it is because this here is always true.
57
00:03:28,540 --> 00:03:31,503
That will then select all the usernames.
58
00:03:33,330 --> 00:03:36,340
That malicious query injection here allowed us
59
00:03:36,340 --> 00:03:40,760
to log in only knowing this password, all right?
60
00:03:40,760 --> 00:03:43,510
So, to protect ourselves against this,
61
00:03:43,510 --> 00:03:45,623
let's install another middleware,
62
00:03:48,560 --> 00:03:52,953
and this one is called express-mongo-sanitize,
63
00:03:59,680 --> 00:04:02,610
and since we're here, let's also go ahead
64
00:04:02,610 --> 00:04:04,900
and install the other one that we're going to need,
65
00:04:04,900 --> 00:04:08,873
but later in this video, which is called simply XSS.
66
00:04:10,486 --> 00:04:14,603
Actually, that was not correct; it's called XSS_clean.
67
00:04:18,529 --> 00:04:22,760
We need to go ahead and uninstall the other one.
68
00:04:22,760 --> 00:04:24,700
NPM uninstall XSS.
69
00:04:29,308 --> 00:04:34,308
Let's take a look at our package.json, and indeed it's gone.
70
00:04:35,280 --> 00:04:38,743
Again, XSS_clean is the one that we want to use.
71
00:04:42,150 --> 00:04:43,840
Anyway, first, let's talk about
72
00:04:43,840 --> 00:04:45,923
the NoSQL query injection again.
73
00:04:48,040 --> 00:04:51,730
All we're going to use is - and of course,
74
00:04:51,730 --> 00:04:54,343
we need to first require it, so
75
00:04:57,862 --> 00:05:02,695
const mongoSanitize equals require express-mongo-sanitize.
76
00:05:08,610 --> 00:05:12,790
Again, VS Code here helps me, and since we're here,
77
00:05:12,790 --> 00:05:14,853
let's also require the next one.
78
00:05:16,120 --> 00:05:18,763
The variable I'm requiring is called XSS,
79
00:05:20,000 --> 00:05:23,947
and then the name of the module is XSS_clean.
80
00:05:27,160 --> 00:05:32,103
So, let's now use this mongoSanitize here - right here.
81
00:05:33,490 --> 00:05:36,450
MongoSanitize is a function that we will call,
82
00:05:36,450 --> 00:05:38,700
which will then return a middleware function,
83
00:05:38,700 --> 00:05:40,110
which we can then use.
84
00:05:40,110 --> 00:05:42,330
This is enough to prevent us against
85
00:05:42,330 --> 00:05:44,820
the kind of attack that we just saw before.
86
00:05:44,820 --> 00:05:46,610
So, what this middleware does is
87
00:05:46,610 --> 00:05:49,900
to look at the request body, the request query string,
88
00:05:49,900 --> 00:05:52,640
and also at Request.Params, and
89
00:05:52,640 --> 00:05:54,190
then it will basically filter out
90
00:05:54,190 --> 00:05:56,363
all of the dollar signs and dots,
91
00:05:57,410 --> 00:06:00,730
because that's how MongoDB operators are written.
92
00:06:00,730 --> 00:06:03,140
By removing that, well, these operators
93
00:06:03,140 --> 00:06:04,833
are then no longer going to work.
94
00:06:05,830 --> 00:06:07,123
So, let's try that again.
95
00:06:08,100 --> 00:06:12,003
Again, it will remove all of these dollar signs.
96
00:06:13,712 --> 00:06:16,080
So if I do this now, then indeed,
97
00:06:16,080 --> 00:06:17,930
we get this error, and we can
98
00:06:17,930 --> 00:06:20,270
no longer use this trick here,
99
00:06:20,270 --> 00:06:23,900
this query injection attack, to log in.
100
00:06:23,900 --> 00:06:26,720
So, that fixes the first problem,
101
00:06:26,720 --> 00:06:28,960
but now let's use that other middleware
102
00:06:28,960 --> 00:06:31,700
that we also just required before.
103
00:06:31,700 --> 00:06:36,700
So, app.use and XSS, all right?
104
00:06:37,590 --> 00:06:39,870
This will then clean any user input
105
00:06:39,870 --> 00:06:42,283
from malicious HTML code, basically.
106
00:06:43,210 --> 00:06:45,780
Imagine that an attacker would try to insert
107
00:06:45,780 --> 00:06:48,180
some malicious HTML code with some
108
00:06:48,180 --> 00:06:50,620
JavaScript code attached to it.
109
00:06:50,620 --> 00:06:54,090
If that would then later be injected into our HTML site,
110
00:06:54,090 --> 00:06:56,423
it could really create some damage then.
111
00:06:57,300 --> 00:06:59,710
Using this middleware, we prevent that
112
00:06:59,710 --> 00:07:03,063
basically by converting all these HTML symbols.
113
00:07:04,380 --> 00:07:07,040
As I said before, the Mongoose validation itself
114
00:07:07,040 --> 00:07:10,937
is actually already a very good protection against XSS,
115
00:07:12,230 --> 00:07:14,170
because it won't really allow any
116
00:07:14,170 --> 00:07:16,730
crazy stuff to go into our database,
117
00:07:16,730 --> 00:07:18,613
as long as we use it correctly.
118
00:07:19,480 --> 00:07:22,320
Whenever you can, just add some validation to
119
00:07:22,320 --> 00:07:25,037
your Mongoose schemas, and that should mostly protect you
120
00:07:25,037 --> 00:07:29,290
you from cross-site scripting, at least on the server side.
121
00:07:29,290 --> 00:07:33,083
Let's just very quickly test this middleware here, as well.
122
00:07:34,990 --> 00:07:38,333
What I'm going to do is to simply create a new user,
123
00:07:39,960 --> 00:07:43,573
and let's call it "tester" here or something like that.
124
00:07:44,500 --> 00:07:47,420
The password is right, and here,
125
00:07:47,420 --> 00:07:50,403
in the name, let's add some HTML code.
126
00:07:51,480 --> 00:07:56,480
So, div with the id of bad-code.
127
00:08:00,470 --> 00:08:02,503
All right, let's try that now.
128
00:08:06,790 --> 00:08:10,310
You see that the XSS module that we used
129
00:08:10,310 --> 00:08:13,263
actually converted these HTML symbols here,
130
00:08:14,190 --> 00:08:19,163
mostly this one, into this HTML entity here.
131
00:08:21,440 --> 00:08:24,130
Let's just quickly delete this guy.
132
00:08:24,130 --> 00:08:27,593
We don't need him at all. (Laughs)
133
00:08:29,556 --> 00:08:33,299
That is our quick and easy protection against
134
00:08:33,299 --> 00:08:36,293
some of these attacks using data sanitization.
135
00:08:37,280 --> 00:08:40,460
Also remember that the validator function library
136
00:08:40,460 --> 00:08:42,770
that we used before also has a couple of
137
00:08:42,770 --> 00:08:45,123
cool sanitization functions in it.
138
00:08:45,980 --> 00:08:49,820
We could also manually build some middleware using these,
139
00:08:49,820 --> 00:08:51,820
but again, that's not really necessary,
140
00:08:51,820 --> 00:08:55,890
because Mongoose already enforces a strict schema.
141
00:08:55,890 --> 00:08:58,250
Then, if it encounters something weird,
142
00:08:58,250 --> 00:09:00,870
it will then throw an error, and yeah,
143
00:09:00,870 --> 00:09:03,290
that's already a pretty good protection.
144
00:09:03,290 --> 00:09:06,240
So, we're really almost done with the security part.
145
00:09:06,240 --> 00:09:07,740
All we need to do in the next video
146
00:09:07,740 --> 00:09:10,163
is to prevent Parameter Pollution.
11795
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.