- Cross-Site Scripting (XSS)
- Cross-site forgery
- Injection (SQL)
- Open-source vulnerabilities
- Filtering input
- Reliance on client-side validation alone
- Escaping or encoding user input
- Unintended script execution
- Inducing uses to perform unintended actions
This is a render blocking which has tremendous advantages when it is executed.
Due to all these vulnerabilities and maximum of advantages it comes necessary to protect java script on the client side as well as on the server side.
- Setting of secured cookies: To ensure SSL/ HTTPS is in use then genius should set the cookies as secure that may limit the use of the application cookies to only secure web pages.
- Set API access keys: The assigning of individual tokens for each and every user at every end adds to the security as if the tokens don’t match up, the access is denied or revoked.
- Using safe methods of DOM manipulation: Methods such as another HTML are potentially dangerous as these do not limit or escape /encode the values that are passed to them. Using a method like in a text instead provides inherent escaping of potentially hazardous content. This is particularly useful in preventing DOM-based XSS attacks.
- Implementing strong authentication process: In reality weak or inconsistent authentication is easy to bypass. When creating passwords make sure to deliver the failed login attempts and return a generic incorrect credentialerror. Be sure to implement 2fa authentication. If done properly this can increase the security of the application drastically.
- Running automatic vulnerability scanning: Frequent vulnerability scans helps you find dependencies and thus provide a check for the vulnerability in a system.
- Encoding data: The cross-site scripting is one of the most common browser side vulnerability. XSS attacks can result in identity and data theft. This can be prevented by fitting the input on arrival, encoding data when outputting, using appropriate response headers and following content-security-policy. If these right set CSP rules r n forced one can prevent the browser from executing things that comes from an untrusted URL. Some points that could be used for prevention may be:
- Avoid using sources.
- Avoid using sinks where is possible.
- Try to perform whitelist base filtering on sources.
- Perform proper and coding before sending data to any sink.
- Using same site cookie attribute for session cookies: Cross-site forgery attacks are an attack where the hacker takes over or impersonate The Identity by hijacking the session cookie. This attack can lead to account tempering data theft fraud and more. The following preventive steps should be kept in mind to avoid such vulnerability:
- Always use same site cookie attribute for session cookies.
- Reference header or origin must be verified
- Implementation of user interaction best protection for highly sensitive operations.
- Process of authentication (password) should be stronger.
- One time token, CAPTCHA etc. can act as strong defence system if correctly implemented.