VULNERABILITY_REPORT.md

Reflected XSS Vulnerability - Security Report

Executive Summary

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the BV-BRC API that allowed attackers to inject malicious JavaScript code through arbitrary parameter names in URL query strings. This vulnerability has been FIXED with comprehensive security controls.

Vulnerability Details

Reported URL:

https://www.bv-brc.org/api-for-website/protein_feature?eq(feature_id,undefined)=&foo%253cscript%253ealert%2528document.domain%2529%253c%252fscript%253e=1

Decoded Attack Vector:

?eq(feature_id,undefined)=&foo<script>alert(document.domain)</script>=1

Root Cause

The vulnerability existed in middleware/http-params.js where:

1. No parameter name validation - Query parameter names were parsed without validation
2. Unsafe reflection - Parameter names were included in error messages without sanitization
3. Header injection - The http_* parameter feature allowed setting arbitrary HTTP headers

Attack Flow

1. Attacker crafts URL with XSS in parameter name
   ↓
2. http-params.js parses parameter without validation
   ↓
3. Parameter name included in req._parsedUrl.query
   ↓
4. RQL parser fails on malformed query
   ↓
5. Error message reflects unsanitized parameter name
   ↓
6. XSS payload executes in victim's browser

Impact Assessment

Severity: HIGH

CVSS Score: 7.1 (High)

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Scope: Unchanged
• Confidentiality Impact: High
• Integrity Impact: Low
• Availability Impact: None

Potential Impact:

• Session hijacking via cookie theft
• Credential harvesting
• Malicious redirects
• Defacement
• Phishing attacks

Fixes Implemented

1. Parameter Name Validation ✅

File: middleware/http-params.js

Added validation that blocks dangerous characters while allowing all valid RQL syntax:

• Blocks: <>"'&; (characters used in XSS attacks)
• Allows: All RQL syntax including eq(), and(), *, /, :, %, etc.

function isValidParameterName(name) {
  // Blacklist approach: block only dangerous characters
  return !/[<>"'&;]/.test(name)
}

This approach ensures legitimate queries work while preventing XSS injection.

2. HTTP Header Whitelist ✅

File: middleware/http-params.js

Restricted http_* parameters to only set whitelisted headers:

• accept
• range
• content-type

All other headers are blocked and logged.

3. Error Message Sanitization ✅

File: middleware/RQLQueryParser.js

Added sanitization of error messages:

• Removes HTML special characters
• Limits message length to 200 characters
• Prevents XSS via error reflection

4. Security Headers ✅

File: app.js

Added defense-in-depth HTTP security headers:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; script-src 'none'; object-src 'none'

Testing & Verification

Test Results

Test Case	Status	Notes
XSS in parameter name	✅ BLOCKED	Parameter rejected, warning logged
XSS in header value	✅ SANITIZED	Dangerous chars removed
Unauthorized header	✅ BLOCKED	Only whitelisted headers allowed
Valid RQL queries	✅ WORKING	No impact on legitimate use
Error message reflection	✅ SANITIZED	No XSS in error responses
Security headers	✅ PRESENT	All headers correctly set

Manual Testing

# Test 1: XSS in parameter name (BLOCKED)
curl "http://localhost:3001/genome?foo<script>alert(1)</script>=bar"
# Result: 400 Bad Request, parameter blocked

# Test 2: Header injection (BLOCKED)
curl "http://localhost:3001/genome?http_authorization=malicious"
# Result: Header not set, attempt logged

# Test 3: Valid query (WORKS)
curl "http://localhost:3001/genome?eq(genome_id,123)"
# Result: Normal operation

Files Modified

1. middleware/http-params.js - Parameter validation and header whitelist
2. middleware/RQLQueryParser.js - Error message sanitization
3. app.js - Security headers
4. SECURITY_FIX.md - Detailed documentation (NEW)
5. test/security-xss.test.js - Security test suite (NEW)
6. VULNERABILITY_REPORT.md - This report (NEW)

Deployment Checklist

• Code changes implemented
• Security tests created
• Run full test suite
• Code review by security team
• Deploy to staging environment
• Verify fixes in staging
• Deploy to production
• Monitor logs for blocked attacks
• Update security documentation

Monitoring & Logging

After deployment, monitor for:

1. Security warnings in logs:

   [SECURITY] Blocked invalid parameter name: ...
   [SECURITY] Sanitized potentially malicious header value: ...
   

2. Increased 400 errors - May indicate attack attempts

3. Pattern analysis - Look for repeated attempts from same IPs

Recommendations

Immediate (Done)

• ✅ Fix parameter name validation
• ✅ Implement header whitelist
• ✅ Add error message sanitization
• ✅ Deploy security headers

Short Term (Next Sprint)

• Add rate limiting to prevent abuse
• Implement automated security testing in CI/CD
• Review all user input points for similar issues
• Add Web Application Firewall (WAF) rules

Long Term (Roadmap)

• Security audit of entire codebase
• Penetration testing
• Bug bounty program
• Security training for development team
• Implement CSP reporting endpoint

References

• OWASP XSS Prevention: https://owasp.org/www-community/attacks/xss/
• CWE-79: Improper Neutralization of Input During Web Page Generation
• OWASP Top 10 2021: A03:2021 – Injection

Sign-off

Fixed by: Development Team
Date: 2025-01-XX
Reviewed by: [Security Team]
Approved by: [Technical Lead]

---

Status: ✅ FIXED - Ready for deployment