Security Hub

Bring your software development workflows to security

pug

Pug XSS

Coming soon

Signals & Triggers

On Pug template rendering
If malicious user input not escaped in the response

Actions

  • Block the HTTP request Block the HTTP request
  • Log request stack trace Log request stack trace
  • Log the malicious request Log the malicious request
  • Report an incident Report an incident

Notifications

  • Send an email to all team members Send an email to all team members
  • Send a Slack notification. Send a Slack notification.
  • POST to your Webhook. POST to your Webhook.
  • Send to New Relic Insights. Send to New Relic Insights.
  • Create an incident on PagerDuty (coming soon) Create an incident on PagerDuty (coming soon)

Details

A Cross-site Scripting (XSS) allows an attacker to inject a script into the content of a website or app. When a user visits the infected page the script will execute in the victim’s browser. This allows attackers to steal private information like cookies, account information etc.

There are two types of XSS: reflected XSS and stored XSS. A reflected XSS (or also called a non-persistent XSS attack) happens when a malicious script is reflected off to another website through the victim’s browser. It’s often injected through the query string. The XSS vulnerability can then just be exploited by making a user click on a link. A stored XSS (or persistent XSS) takes place when the malicious script is injected directly into the vulnerable web application.

The Pug XSS plugin protects applications and users from reflected XSS.

Advanced details

When the application starts, Sqreen library hooks the unsafe methods of the Pug templating engine in order to catch data about to be rendered in the HTML page.

The plugin checks if the user input can execute arbitrary JavaScript in the context of the rendered page. If it can, Sqreen will trigger this plugin and perform the requested action. The page will always be rendered to your users.

If the Escape executable HTML code action is selected, Sqreen will perform HTML encoding on the malicious user input: special characters like <script> are encoded into &lt;script&gt; without impacting the Pug rendering to users.

Language support

  • Node.js

Data collected by Sqreen

Signals

No data collected


On attack
  • Malicious user inputs
  • Stack trace
  • HTTP request context

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" >> config/sqreen.yml

$ curl -s https://download.sqreen.io/php/install.sh > sqreen-install.sh && bash sqreen-install.sh your token

$ pip install sqreen

$ echo -e '[sqreen]\ntoken: your token' >> sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen-latest-all.jar

 

// Next, edit the JVM startup file:

-javaagent:/path/to/sqreen-agent.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 7 days · No credit card required Get started Request demo