umma.dev

Web Security

A few notes on security vulnerabilities within JavaScript applications.

Cross Site Scripting(XSS)

  • XSS enables you to get access to a web API

  • An example of XSS attack would be that a hacker finds a vulnerable input field on the page and creates a link that injects a into another page. Once the page is open, the hacker decides what happens next…

  • This security vulnerability can lead to access to LocalStorage, SessionStorage and cookies

  • To protect against this kind of threat, always use escape syntax

Cross Site Request Forgery (CSRF)

  • This kind of attack reveals the technicals of sending HTTP requests from the broswer

  • For example if a user’s computer stores cookies from a website, these cookies will be sent via request - let’s say an email address is updated for a user, an attack could be made with the hackner requesting a passowrd reminder and taking over the acccount…

  • To avoid this kind of threat, CSRF tokens should be added to forms and unique tokens should be created with each session. Adding this as a hidden field on a form in a web page and making the server reject the request action if the token isn’t validated.

JWT Tokens

  • JWT is a method to secure data between two parties. The tokens are assigned a secret key however it’s common to leave out sensitive data as these tokens are not encrypted. It’s a technique usually used in authentication.

  • These tokens are usually stored in local or session storage and are open to potential XSS attacks