OWASP Browser Vulnerabilities

XSS (Cross-Site Scripting)

XSS attacks are attacks where attacker injects malicious JavaScript code into web page to execute this code in victim's browser. This vulnerability can lead to session theft, personal data theft or arbitrary actions on behalf of user.

XSS Attack Example

Attacker creates link with malicious JavaScript, sends it to victim via email. When victim clicks link, JS code executes in their browser, allowing theft of credentials, sessions or other malicious actions.

XSS Attack Protection Methods

Content Security Policy (CSP): Create list of allowed content sources, limiting loading only from trusted domains.
Don't use eval() and dangerouslySetInnerHTML: These methods allow executing arbitrary code, opening vulnerabilities.
HttpOnly cookies: Set cookies with HttpOnly attribute to prevent cookie access via JavaScript.
Input sanitization: Clean input data from malicious scripts using escaping to prevent their execution.

XSS Types

Stored XSS: Malicious code is stored in database and executed on page on subsequent request.
Reflected XSS: Script is not stored, but passed via URL or request parameters. When server returns page with this script, it executes in victim's browser.
DOM-based XSS: Malicious script is injected into client-side JavaScript code via DOM vulnerabilities, without server changes.

CSRF (Cross-Site Request Forgery)

CSRF is attack where attacker forces user to execute unwanted request on their behalf. This is possible because browser automatically sends cookies and other authentication data on requests, even if request was initiated by external source.

CSRF Attack Protection Methods

Using CSRF tokens: Generate unique token for each user session. This token must be included in form or request and verified by server.
Using HTTPS: Secure connections prevent interception and data modification.
SameSite Cookies: Set SameSite attribute for cookies to prevent their sending with cross-domain requests.

Using Deprecated npm Packages

Using outdated or unsupported packages in npm can lead to vulnerabilities in your application, as such packages may contain known bugs or vulnerabilities. For example, old package versions may not have security updates.

Protection Methods

Regularly update packages and dependencies.
Use tools such as npm audit to check packages for vulnerabilities.
Prefer using supported and actively updated packages.

SQL/NoSQL Injections

SQL injections are attacks where attacker inserts or modifies SQL queries to gain access to data, modify it or perform arbitrary database actions.

NoSQL injections — similar attacks, but for NoSQL databases, e.g., MongoDB.

SQL/NoSQL Injection Protection Methods:

Using prepared statements: These queries ensure safe database interaction and prevent injections.
Input sanitization: All data received from users must be checked and cleaned.
ORM (Object-Relational Mapping): Use ORM frameworks that automatically protect against injections.

Man-in-the-Middle (MITM)

MITM attack involves intercepting, spoofing or eavesdropping on traffic between client and server. Attacker can gain access to confidential information or modify data during transmission.

MITM Protection Methods:

Using HTTPS: HTTPS protects data using TLS, making data inaccessible for interception or modification.
SSL/TLS certificates: Ensure you use valid certificates to establish secure connections.
HSTS (HTTP Strict Transport Security): This mechanism forces browsers to use only HTTPS for accessing your site.

Clickjacking - Click Substitution Attack

Clickjacking is attack where attacker overlays hidden interface elements on visible ones, forcing user to interact with them without realizing it. This can lead to unwanted actions (e.g., clicking "confirm payment" button).

Clickjacking Protection Methods:

X-Frame-Options: Set X-Frame-Options header to DENY or SAMEORIGIN to prevent embedding your site in iframe.
Content-Security-Policy (CSP): Use CSP to limit content sources and prevent embedding in frames.
Click protection implementation: Use mechanisms such as challenge-response to protect against unauthorized actions.

Back

Forward

Content

XSS (Cross-Site Scripting)XSS Attack Example XSS Attack Protection Methods XSS Types CSRF (Cross-Site Request Forgery)CSRF Attack Protection Methods Using Deprecated npm Packages SQL/NoSQL Injections SQL/NoSQL Injection Protection Methods:Man-in-the-Middle (MITM)MITM Protection Methods:Clickjacking - Click Substitution Attack Clickjacking Protection Methods: