Xss Cross Site Scripting in Adonisjs with Api Keys

Cross-site scripting (XSS) in an AdonisJS API that uses API keys typically arises when the API both issues keys and returns data that is later rendered in a web UI. If an attacker can influence stored data or query parameters that are reflected into HTML, scripts can execute in the victim’s browser even when requests authenticate only via an API key header. AdonisJS does not sanitize output by default; developers must explicitly escape data in templates or encode values in JSON responses consumed by the browser. The API key itself does not cause XSS, but weak handling of user input and unsafe rendering practices can turn an API key–authenticated endpoint into a vector.

Consider an endpoint that accepts a name query parameter and echoes it back in an HTML response. If the developer does not escape the name, an API key–authenticated attacker (or a compromised client) can supply <script>stealCookies()</script> as the name. Because the API key proves identity but does not enforce output safety, the reflected script runs in the context of the user’s session. This maps to the OWASP API Security Top 10 A03:2023 Injection and aligns with common XSS patterns such as stored or reflected XSS in HTML/JS output. Even with API key authentication, failing to validate and encode input enables script execution.

Another scenario involves an AdonisJS API that serves JSON consumed by a frontend framework. If an attacker can inject malicious payloads into fields like username or bio, and the frontend dangerously uses innerHTML or a similar sink, the API key does not prevent execution. SSRF and improper input validation can also amplify impact by allowing attackers to probe internal services or poison data. MiddleBrick’s checks for Input Validation and Data Exposure highlight these risks by correlating spec definitions with runtime behavior, ensuring that API keys do not create a false sense of output safety.

Remediation focuses on input validation, output encoding, and safe handling of data regardless of authentication via API keys. Use schema validation to reject unexpected or dangerous input, and always encode data based on context (HTML, attribute, JavaScript, or URL). Below are concrete examples for AdonisJS.

• Validate and sanitize input with the built-in schema sanitizer:

import { schema, rules } from '@ioc:Adonis/Core/Validator'

const nameSchema = schema.create({
  name: schema.string({}, [rules.sanitize('escape'), rules.maxLength(255)])
})

export default class ApiController {
  public async store({ request, response } {)
    const payload = await request.validate({ schema: nameSchema })
    // payload.name is escaped HTML-safe string
    return response.json({ message: `Hello, ${payload.name}` })
  }
}

• Return safe JSON and instruct frontend consumers to avoid dangerous sinks:

import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext'

export default class UserController {
  public profile({ request, response }: HttpContextContract) {
    const safeUser = {
      id: request.user().id,
      username: request.only(['username']).username,
      // Never include raw HTML in JSON
    }
    return response.json(safeUser)
  }
}

• Enforce Content Security Policy headers to mitigate impact if injection occurs:

import { middleware } from '@adonisjs/core/framework'

class SecurityMiddleware {
  async handle({ request, response, next }) {
    response.header('Content-Security-Policy', "default-src 'self'; script-src 'self'")
    await next()
  }
}

These steps ensure that API keys remain effective for authentication while XSS risks are addressed through canonical secure coding practices. Continuous scanning with tools like MiddleBrick can validate that such controls are present and that findings map to frameworks such as OWASP API Top 10 and compliance regimes.