1
00:00:01,004 --> 00:00:02,610
‫In this lecture, we're going to use

2
00:00:02,610 --> 00:00:06,690
‫two more packages to improve our application security,

3
00:00:06,690 --> 00:00:09,823
‫and this time to perform data sanitization.

4
00:00:11,290 --> 00:00:13,630
‫So, data sanitization basically means

5
00:00:13,630 --> 00:00:15,560
‫to clean all the data that comes

6
00:00:15,560 --> 00:00:18,313
‫into the application from malicious code.

7
00:00:19,228 --> 00:00:22,053
‫So, code that is trying to attack our application.

8
00:00:22,930 --> 00:00:26,660
‫In this case, we're trying to defend against two attacks.

9
00:00:26,660 --> 00:00:30,240
‫So, let's write it down, and we will do it,

10
00:00:30,240 --> 00:00:34,073
‫let's say, right here after the body parser.

11
00:00:35,039 --> 00:00:37,400
‫This middleware here reads the data

12
00:00:37,400 --> 00:00:40,140
‫into request.body, and only after that

13
00:00:40,140 --> 00:00:42,890
‫we can actually clean that data, right?

14
00:00:42,890 --> 00:00:46,860
‫This is a perfect place for doing the data sanitization.

15
00:00:46,860 --> 00:00:51,860
‫So, we will do data sanitization against

16
00:00:55,190 --> 00:01:00,190
‫NoSQL query injection, and also data sanitization

17
00:01:05,620 --> 00:01:09,560
‫against cross-site scripting attacks.

18
00:01:09,560 --> 00:01:11,670
‫And now before doing anything else,

19
00:01:11,670 --> 00:01:14,600
‫let me show you why it is so extremely important

20
00:01:14,600 --> 00:01:17,733
‫to defend against this type of attack.

21
00:01:19,010 --> 00:01:22,200
‫We will now simulate a NoSQL query injection

22
00:01:22,200 --> 00:01:25,620
‫and I hope that you will be as shocked as I was

23
00:01:25,620 --> 00:01:28,263
‫when I first discovered how powerful this can be.

24
00:01:29,820 --> 00:01:32,570
‫Let's now head over to Postman here,

25
00:01:32,570 --> 00:01:34,810
‫and try to log in as someone, even

26
00:01:34,810 --> 00:01:37,400
‫without knowing their email address.

27
00:01:37,400 --> 00:01:41,853
‫All right, so basically, simply giving a password,

28
00:01:42,800 --> 00:01:46,070
‫let's say this one here, we will be able to log in,

29
00:01:46,070 --> 00:01:48,603
‫but even without knowing the email address.

30
00:01:49,750 --> 00:01:51,310
‫Again, we're going to do that by

31
00:01:51,310 --> 00:01:54,480
‫simulating a NoSQL query injection,

32
00:01:54,480 --> 00:01:57,840
‫and the easiest way of doing it goes like this.

33
00:01:57,840 --> 00:02:00,530
‫Instead of specifying a real email,

34
00:02:00,530 --> 00:02:03,933
‫we specify this query, basically.

35
00:02:06,450 --> 00:02:10,010
‫We use the MongoDB greater than operator

36
00:02:10,010 --> 00:02:13,770
‫and set it equal to nothing, okay?

37
00:02:13,770 --> 00:02:15,963
‫And now, what happens?

38
00:02:17,810 --> 00:02:21,810
‫Indeed, we are now logged in as the admin.

39
00:02:21,810 --> 00:02:24,673
‫So you see we even got our access token.

40
00:02:25,590 --> 00:02:28,550
‫Yeah, we're really now logged in,

41
00:02:28,550 --> 00:02:30,873
‫and this completely blows my mind, okay?

42
00:02:31,870 --> 00:02:33,940
‫Again, without knowing the email address,

43
00:02:33,940 --> 00:02:37,390
‫only the password, we were able to log in.

44
00:02:37,390 --> 00:02:39,540
‫And believe me, it's not really difficult

45
00:02:39,540 --> 00:02:42,840
‫to find a bunch of really popular passwords

46
00:02:42,840 --> 00:02:44,693
‫that are used on every application.

47
00:02:46,198 --> 00:02:49,203
‫So, this kind of attack is what we need to protect against.

48
00:02:50,670 --> 00:02:54,913
‫This works basically because this will always be true,

49
00:02:55,940 --> 00:02:58,840
‫so that's actually - you also see that in Compass.

50
00:02:58,840 --> 00:03:01,590
‫So I'm copying it, or actually, let's copy all of this.

51
00:03:05,130 --> 00:03:08,313
‫Then try to filter by this exact same thing.

52
00:03:09,460 --> 00:03:12,660
‫Now we're just missing the curly braces,

53
00:03:12,660 --> 00:03:15,870
‫but now we actually get a valid query.

54
00:03:15,870 --> 00:03:20,440
‫Let's hit Find, and indeed, this returns all of the users.

55
00:03:20,440 --> 00:03:24,033
‫So basically, all of the users match this query.

56
00:03:25,340 --> 00:03:28,540
‫Again, it is because this here is always true.

57
00:03:28,540 --> 00:03:31,503
‫That will then select all the usernames.

58
00:03:33,330 --> 00:03:36,340
‫That malicious query injection here allowed us

59
00:03:36,340 --> 00:03:40,760
‫to log in only knowing this password, all right?

60
00:03:40,760 --> 00:03:43,510
‫So, to protect ourselves against this,

61
00:03:43,510 --> 00:03:45,623
‫let's install another middleware,

62
00:03:48,560 --> 00:03:52,953
‫and this one is called express-mongo-sanitize,

63
00:03:59,680 --> 00:04:02,610
‫and since we're here, let's also go ahead

64
00:04:02,610 --> 00:04:04,900
‫and install the other one that we're going to need,

65
00:04:04,900 --> 00:04:08,873
‫but later in this video, which is called simply XSS.

66
00:04:10,486 --> 00:04:14,603
‫Actually, that was not correct; it's called XSS_clean.

67
00:04:18,530 --> 00:04:22,760
‫We need to go ahead and uninstall the other one.

68
00:04:22,760 --> 00:04:24,700
‫NPM uninstall XSS.

69
00:04:29,308 --> 00:04:34,308
‫Let's take a look at our package.json, and indeed it's gone.

70
00:04:35,280 --> 00:04:38,743
‫Again, XSS_clean is the one that we want to use.

71
00:04:42,150 --> 00:04:43,840
‫Anyway, first, let's talk about

72
00:04:43,840 --> 00:04:45,923
‫the NoSQL query injection again.

73
00:04:48,040 --> 00:04:51,730
‫All we're going to use is - and of course,

74
00:04:51,730 --> 00:04:54,343
‫we need to first require it, so

75
00:04:57,862 --> 00:05:02,695
‫const mongoSanitize equals require express-mongo-sanitize.

76
00:05:08,610 --> 00:05:12,790
‫Again, VS Code here helps me, and since we're here,

77
00:05:12,790 --> 00:05:14,853
‫let's also require the next one.

78
00:05:16,120 --> 00:05:18,763
‫The variable I'm requiring is called XSS,

79
00:05:20,000 --> 00:05:23,947
‫and then the name of the module is XSS_clean.

80
00:05:27,160 --> 00:05:32,103
‫So, let's now use this mongoSanitize here - right here.

81
00:05:33,490 --> 00:05:36,450
‫MongoSanitize is a function that we will call,

82
00:05:36,450 --> 00:05:38,700
‫which will then return a middleware function,

83
00:05:38,700 --> 00:05:40,110
‫which we can then use.

84
00:05:40,110 --> 00:05:42,330
‫This is enough to prevent us against

85
00:05:42,330 --> 00:05:44,820
‫the kind of attack that we just saw before.

86
00:05:44,820 --> 00:05:46,610
‫So, what this middleware does is

87
00:05:46,610 --> 00:05:49,900
‫to look at the request body, the request query string,

88
00:05:49,900 --> 00:05:52,640
‫and also at Request.Params, and

89
00:05:52,640 --> 00:05:54,190
‫then it will basically filter out

90
00:05:54,190 --> 00:05:56,363
‫all of the dollar signs and dots,

91
00:05:57,410 --> 00:06:00,730
‫because that's how MongoDB operators are written.

92
00:06:00,730 --> 00:06:03,140
‫By removing that, well, these operators

93
00:06:03,140 --> 00:06:04,833
‫are then no longer going to work.

94
00:06:05,830 --> 00:06:07,123
‫So, let's try that again.

95
00:06:08,100 --> 00:06:12,003
‫Again, it will remove all of these dollar signs.

96
00:06:13,712 --> 00:06:16,080
‫So if I do this now, then indeed,

97
00:06:16,080 --> 00:06:17,930
‫we get this error, and we can

98
00:06:17,930 --> 00:06:20,270
‫no longer use this trick here,

99
00:06:20,270 --> 00:06:23,900
‫this query injection attack, to log in.

100
00:06:23,900 --> 00:06:26,720
‫So, that fixes the first problem,

101
00:06:26,720 --> 00:06:28,960
‫but now let's use that other middleware

102
00:06:28,960 --> 00:06:31,700
‫that we also just required before.

103
00:06:31,700 --> 00:06:36,700
‫So, app.use and XSS, all right?

104
00:06:37,590 --> 00:06:39,870
‫This will then clean any user input

105
00:06:39,870 --> 00:06:42,283
‫from malicious HTML code, basically.

106
00:06:43,210 --> 00:06:45,780
‫Imagine that an attacker would try to insert

107
00:06:45,780 --> 00:06:48,180
‫some malicious HTML code with some

108
00:06:48,180 --> 00:06:50,620
‫JavaScript code attached to it.

109
00:06:50,620 --> 00:06:54,090
‫If that would then later be injected into our HTML site,

110
00:06:54,090 --> 00:06:56,423
‫it could really create some damage then.

111
00:06:57,300 --> 00:06:59,710
‫Using this middleware, we prevent that

112
00:06:59,710 --> 00:07:03,063
‫basically by converting all these HTML symbols.

113
00:07:04,380 --> 00:07:07,040
‫As I said before, the Mongoose validation itself

114
00:07:07,040 --> 00:07:10,937
‫is actually already a very good protection against XSS,

115
00:07:12,230 --> 00:07:14,170
‫because it won't really allow any

116
00:07:14,170 --> 00:07:16,730
‫crazy stuff to go into our database,

117
00:07:16,730 --> 00:07:18,613
‫as long as we use it correctly.

118
00:07:19,480 --> 00:07:22,320
‫Whenever you can, just add some validation to

119
00:07:22,320 --> 00:07:25,037
‫your Mongoose schemas, and that should mostly protect you

120
00:07:25,037 --> 00:07:29,290
‫you from cross-site scripting, at least on the server side.

121
00:07:29,290 --> 00:07:33,083
‫Let's just very quickly test this middleware here, as well.

122
00:07:34,990 --> 00:07:38,333
‫What I'm going to do is to simply create a new user,

123
00:07:39,960 --> 00:07:43,573
‫and let's call it "tester" here or something like that.

124
00:07:44,500 --> 00:07:47,420
‫The password is right, and here,

125
00:07:47,420 --> 00:07:50,403
‫in the name, let's add some HTML code.

126
00:07:51,480 --> 00:07:56,480
‫So, div with the id of bad-code.

127
00:08:00,470 --> 00:08:02,503
‫All right, let's try that now.

128
00:08:06,790 --> 00:08:10,310
‫You see that the XSS module that we used

129
00:08:10,310 --> 00:08:13,263
‫actually converted these HTML symbols here,

130
00:08:14,190 --> 00:08:19,163
‫mostly this one, into this HTML entity here.

131
00:08:21,440 --> 00:08:24,130
‫Let's just quickly delete this guy.

132
00:08:24,130 --> 00:08:27,593
‫We don't need him at all. (Laughs)

133
00:08:29,556 --> 00:08:33,300
‫That is our quick and easy protection against

134
00:08:33,300 --> 00:08:36,293
‫some of these attacks using data sanitization.

135
00:08:37,280 --> 00:08:40,460
‫Also remember that the validator function library

136
00:08:40,460 --> 00:08:42,770
‫that we used before also has a couple of

137
00:08:42,770 --> 00:08:45,123
‫cool sanitization functions in it.

138
00:08:45,980 --> 00:08:49,820
‫We could also manually build some middleware using these,

139
00:08:49,820 --> 00:08:51,820
‫but again, that's not really necessary,

140
00:08:51,820 --> 00:08:55,890
‫because Mongoose already enforces a strict schema.

141
00:08:55,890 --> 00:08:58,250
‫Then, if it encounters something weird,

142
00:08:58,250 --> 00:09:00,870
‫it will then throw an error, and yeah,

143
00:09:00,870 --> 00:09:03,290
‫that's already a pretty good protection.

144
00:09:03,290 --> 00:09:06,240
‫So, we're really almost done with the security part.

145
00:09:06,240 --> 00:09:07,740
‫All we need to do in the next video

146
00:09:07,740 --> 00:09:10,163
‫is to prevent Parameter Pollution.