Cross-Site Scripting (XSS)
Types of XSS:
Stored XSS. Malicious scripts are permanently stored on the server (in a message on a forum or database) and made available to users.
Reflected XSS. Malicious scripts are embedded in a URL or input field and displayed to users from a web server.
DOM-based XSS. The vulnerability occurs on the client-side resources when scripts directly manipulate the Document Object Model (DOM).
Preventing XSS requires inspecting input data, encoding output data, and implementing Content Security Policy (CSP) headers to limit sources of script execution.
Cross-Site Request Forgery (CSRF)
CSRF is an attack in which a hacker tricks a user into unknowingly making an unwanted request to another website where the victim is authenticated. This way, they can perform actions on the user's behalf without consent.
To prevent CSRF, use anti-CSRF tokens in forms validated on the server. Also, consider applying the SameSite attribute to cookies to limit their use in cross-site requests.
Third-Party Security Vulnerabilities
To mitigate such vulnerabilities, regularly update third-party dependencies and libraries to the latest secure versions. Use tools like npm (Node Package Manager) audit to find and fix weaknesses.
Detects use of eval(), which can create vulnerabilities
Identifies variables and functions that are defined but never used
Enforces coding standards and formatting rules to facilitate anomaly detection
Detects shadowing of variables, which can lead to undesirable consequences
Ensures that sensitive information is not hard-coded directly into the source code
To follow this practice:
Configure it with security rules and guidelines
Integrate linter into your development workflow to automatically check code during development and in your continuous integration (CI) pipeline
Audit Dependencies with a Package Manager
Auditing your project's packages is vital to ensure your application has no known security vulnerabilities. You can use package managers like npm or Yarn.
Regularly auditing your dependencies contributes to a secure software supply chain. Ensure you don't accidentally use packages with known vulnerabilities that attackers can exploit.
To apply this practice:
Use the built-in audit or security check commands provided by your package manager (npm audit for npm or yarn audit for Yarn)
Configure automatic checks in your CI/CD pipeline to continuously monitor and report vulnerabilities in your dependencies
Apply updates to your dependencies early to protect your project
Try Subresource Integrity (SRI) Checking
How it works:
When you add an external script or resource to your HTML, you include the cryptographic hash of the resource's content as an attribute
When a browser receives a resource, it calculates its hash and compares it to the expected value
If the hashes match, the resource is considered safe and executed
If they don't match, the browser blocks the resource from running, preventing potential security risks
To implement SRI, you add an integrity attribute to your <script> or <link> tags with the appropriate cryptographic hash. Online tools and generators will help you generate the correct hash values.
Establish a Content Security Policy
A Content Security Policy (CSP) allows you to specify which content sources are considered safe and which are not.
Implementing CSP involves setting HTTP headers on your web server or defining the Content-Security-Policy meta tag in your HTML.
Validate User Input
Always verify that user-submitted data conforms to the expected format, restrictions, and business rules before processing it. It helps you:
Prevent injection attacks such as SQL injection and XSS
Maintain data integrity and prohibit incorrect data from being processed
Improve user interaction so they understand and correct input errors
This practice includes checking data type, length, and format and ensuring compliance with application requirements. For example, if you expect an email address, ensure the data the user enters follows the desired format.
Escape or Encode User Input
Escaping or encoding user input is a primary method of preventing cross-site scripting (XSS) attacks. Convert data into a secure format that can be displayed or stored without exposing your security system.
With this practice, you prevent the execution of malicious scripts in the context of other users' browsers. Proper coding also protects your databases from SQL injection attacks.
Don’t Store CSRF Token in Cookies
CSRF attacks occur when a hacker tricks a user into making an unwanted malicious request to a website where the user has authenticated. CSRF tokens will help reduce these risks.
We do not recommend storing the CSRF token in cookies. The fact is that cookies can be vulnerable to theft through XSS attacks. It is better to follow this algorithm:
Create a unique token for each user session and insert it into your HTML forms or headers
When a user submits a form or makes a request, add a token to the request data
On the server, check the token to make sure it matches the expected value.
Ensure Secure Cookie Transmission
Cookies are commonly used to store session and authentication information in web applications. To protect this sensitive data, you should ensure that cookies are securely transmitted over HTTPS and configured with secure attributes.
When cookies are transmitted over an unencrypted HTTP connection, they can be intercepted by attackers using packet sniffers. Use HTTPS to encrypt data transmission between the client and the server.
Secure transfer of cookies prevents eavesdropping and tampering of session data and authentication tokens. In addition, using HTTPS to transfer cookies is recommended by security standards like OWASP.
To implement this practice:
Make sure your web application is served over HTTPS and force HTTP traffic to HTTPS
Use the Secure attribute when setting cookies
Implement HTTP Strict Transport Security (HSTS) to ensure your site is always accessible over HTTPS, even if users first type "http://" in their browsers
Minify, Bundle, and Obfuscate your Code
After implementing these techniques, thoroughly test your application to ensure that minification, bundling, and obfuscation do not cause functionality or performance issues.