Cross-Site Scripting (XSS)
In XSS cyber-attacks, a hacker injects malicious scripts into websites executed in the browser. It results in data leaks of login information and session cookies.
Cross-Site Request Forgery (CSRF)
CSRF attacks where hackers leverage social engineering practices to trick users into taking specific actions on the website. It allows an attacker to take control of the websites and perform specific actions on behalf of the user without consent.
To reduce the risk of CSRF vulnerabilities, it is important to use protective measures such as CSRF tokens and the SameSite attribute in cookies.
It is a type of attack where hackers exploit the browser’s policy. Hackers gain unauthorized access to sensitive JSON data. This vulnerability occurs when a website returns a JSON data array instead of using “Content-Type” headers.
Use the “application/json” Content-Type header for JSON responses to prevent JSON hijacking. Another approach is to use prefix the JSON data with “while(1);” to prevent direct script execution.
Insecure Direct Object References (IDOR)
IDOR vulnerabilities occur when an app allows users to access sensitive data without authorization. It leads to unauthorized access and data exposure. To avoid such vulnerabilities, your app must have proper access controls, authorization mechanisms, and input validation to avoid such vulnerabilities.
Man in the middle attacks (MITM)
During module installation, attackers can manipulate unencrypted traffic between browsers and the npm registry. This involves exploiting install hooks that download or use resources from the internet over HTTP.
#1. Ensure high-quality code
Correct use of equality operators, hoisting, and callbacks are crucial to ensure high-quality code thorough understanding of fundamentals. You need to evade functions that assess strings as code, such as eval(), Function(), setTimeout(), and setInterval().
If used with untrusted data, these functions can lead to cross-site scripting (XSS) attacks. You can use a linter, such as ESLint, to identify code issues early. Another way to ensure high quality and secure code is to use static application security testing (SAST).
#2. Check whether you need third-party libraries or not!
#3. Secure communication between browser and server
You can buy SSL certificate from leading certificate authorities (CAs) like Comodo, DigiCert, etc. These CAs will ask for a certificate-signing request (CSR) with all the details regarding your organization and verify domain ownership based on the type of certificate you choose.
Once you submit the CSR, CA will verify the information and issue an SSL certificate that you can install on the website. This ensures that the connection between the browser and server is secure whenever a user tries to access data.
#4. Makes sure each input is validated
Some of the OWASP-recognized encodings that you can use are,
- HTML entity encoding
- HTML attribute encoding
- URL encoding
- CSS Hex
Further, if your website accepts HTML as user input, sanitize it before displaying it on the page. This includes sanitizing, validating user input, and cleaning all the unexpected characters in the code.
#5. Prevent JSON injections
Developers often use JSON as a reliable syntax to enable information exchange between apps. JSON is a simple syntax and easy to understand with a predictable hierarchical structure. In a JSON injection attack, hackers will supply untrusted data input which lacks validation or sanitization to an app.
Such attacks can affect the server side or client side of the website. Therefore, if you execute a code on the server side to build a JSON object from a string, the concatenating of user input exposes sensitive information to hackers.