diff --git a/file/nodejs/express-xss.yaml b/file/nodejs/express-xss.yaml
new file mode 100644
index 0000000000..7b184935d9
--- /dev/null
+++ b/file/nodejs/express-xss.yaml
@@ -0,0 +1,48 @@
+id: express-xss
+
+info:
+  name: Express XSS
+  author: me_dheeraj (https://twitter.com/Dheerajmadhukar)
+  severity: info
+  description: Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
+  tags: file,nodejs,express,xss
+
+file:
+  - extensions:
+      - all
+
+    matchers:
+      - type: regex
+        regex:
+          - "function \\($REQ, $RES, ...\\) {...}"
+          - "function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}"
+          - "\\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}"
+          - "var \\$X = function \\$FUNC\\(\\$REQ, \\$RES, ...\\) {...}\\;"
+          - "\\$APP\\.\\$METHOD\\(..., function \\$FUNC\\(\\$REQ, \\$RES, ...\\)"
+          - "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)"
+          - "\\$RES\\.write\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)"
+          - "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY ...>, ...\\)"
+          - "\\$RES\\.send\\(..., <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>, ...\\)"
+          - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
+          - "\\$RES\\.write\\(..., <... $LOCALVAR ...>, ...\\)"
+          - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;"
+          - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
+          - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>\\;"
+          - "\\$RES\\.write\\(..., <... \\$LOCALVAR ...>, ...\\)"
+          - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;"
+          - "\\$RES\\.send\\(..., <... \\$LOCALVAR ...>, ...\\)"
+          - "var {\\$LOCALVAR} = <... \\$REQ\\.\\$QUERY ...>\\;"
+          - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;"
+          - "\\$LOCALVAR =  {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$FOO ...>}\\;"
+          - "\\$LOCALVAR = {\\$KEY: <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>}\\;"
+          - "\\$LOCALVAR =  {\\$KEY: <... \\$REQ\\.\\$QUERY ...>}\\;"
+          - "\\$LOCALVAR\\.push\\(<... \\$REQ\\.\\$QUERY ...>\\)"
+          - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
+          - "\\$ARR\\.push\\(<... \\$LOCALVAR ...>\\)"
+          - "\\$RES\\.write\\(..., <... \\$ARR ...>, ...\\)"
+          - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY ...>\\;"
+          - "\\$RES\\.send\\(..., <... \\$ARR ...>, ...\\)"
+          - "\\$RES\\.write\\(..., <... \\$OUT ...>, ...\\)"
+          - "\\$LOCALVAR = <... \\$REQ\\.\\$QUERY\\.\\$VAR ...>\\;"
+          - "\\$OUT = <... \\$LOCALVAR ...>\\;"
+        condition: or