Unintended Script Execution
Exclusive Reliance on Client-Side Validation
Relying solely on client-side validation leaves room for hackers to send unverified data to servers, compromising records and configurations. Implement server-side validation for enhanced security.
Exposure of Session Data
Attackers leverage the power of client-side browser scripts to access all communication between the browser and the web application. This communication may include sensitive session data, such as user session IDs used for unauthorized access.
Unintentional User Activity
These common vulnerabilities include:
Cross-site Scripting Vulnerabilities
- Filtering & sanitizing user input
- Using effective response headers
- Encode data before output generation
- Utilize Content Security Policies
- Using regularly an XSS Scanner before every release
Cross-site Request Forgery Vulnerabilities
Cross-Site Request Forgery (CSRF) is a widespread security vulnerability in which threat actors manipulate legitimate users into submitting malicious requests to web applications they are ambushed to visit. When the web application fails to differentiate between valid user requests and forged requests, attackers can execute any malicious actions under the guise of legitimate end-users.
CSRF attacks can be prevented by:
- Implementing secure random tokens
- Logging off unused web applications
- Disallowing automatic password entries by browsers
- Securing session credentials
- Using regularly a CSRF Scanner before every release
This mechanism injects and executes malicious or arbitrary code on a web application’s server without sanitizing and filtering user inputs. Attackers typically look for functions that parse user-generated data without proper validations to ingest insecure scripts to be executed by the server.
Avoid Evaluating User Input: The eval() and new Function () command executes arguments passed in user inputs as JS expressions. As hackers manipulate user input to run malicious scripts, it is recommended to avoid evaluating user inputs or parsing JSON data through the above constructors.
Enable TLS/SSL Encryption: Encrypting data between servers and clients helps prevent CSRF and XSS attacks.
Secure API Access: It is essential to assign tokens for each user accessing the web app through the API, enabling secure access.
Set Secure Cookies: By setting cookies as secure, each cookie can only be used for a single web page, ensuring encrypted access.
Define Content Security Policies: Content security policies ensure that attackers don’t inject malicious scripts into web applications to manipulate state changes.