A few notes on security vulnerabilities within JavaScript applications.
XSS enables you to get access to a web API
An example of XSS attack would be that a hacker finds a vulnerable input field on the page and creates a link that injects a into another page. Once the page is open, the hacker decides what happens next…
This security vulnerability can lead to access to LocalStorage, SessionStorage and cookies
To protect against this kind of threat, always use escape syntax
This kind of attack reveals the technicals of sending HTTP requests from the broswer
For example if a user’s computer stores cookies from a website, these cookies will be sent via request - let’s say an email address is updated for a user, an attack could be made with the hackner requesting a passowrd reminder and taking over the acccount…
To avoid this kind of threat, CSRF tokens should be added to forms and unique tokens should be created with each session. Adding this as a hidden field on a form in a web page and making the server reject the request action if the token isn’t validated.
JWT is a method to secure data between two parties. The tokens are assigned a secret key however it’s common to leave out sensitive data as these tokens are not encrypted. It’s a technique usually used in authentication.
These tokens are usually stored in local or session storage and are open to potential XSS attacks