Front-end security

Cross-site scripting (XSS)

XSS is an injection attack. The attacker puts some code into HTML, the browser treats text as code and executing. This code could perform actions such as stealing private data, inject AD, download unwanted software.

How to inject code?

  1. User can put a script tag in the form, submit to the server and persist in the database. That code sends back to the browser and runs if the server doesn't escape text.
  2. User put script tag in URL; server renders the URL in the page, the script is run in browse,
  3. man-in-the-middle attack: attacker alters the communications and injects script to HTML. Some ISP companies using XSS attacks as a feature to inject AD, waste user data plans.

How to prevent XSS?

Let's look at how we can limit what web applications can do.

  1. Don't ever trust raw user data. Escape data before persistent in the database and rendering. We can use the encodeURI function to escape. also, modern frameworks automatically escape user input
  2. Don't let the browser download a script from an origin that you don't trust. HTTP header Content-Security-Policy allows us to tell browsers which sources they should trust, and for what types of resources. The browser would fail to download injected Javascript because the domain is not in CSP.
  3. Don't let the browser execute injected inline JavaScript but only ourselves script. the way of doing it is to add nonce attribute in script type and SCP or add hashes value in SCP (details).

Cross-Site Request Forgery(CSRF)

Users do some actions unknowingly sends a request to authenticate websites. SCRF takes advantage of the fact that cookies (or Basic Authentication credentials) are passed along with requests. Even the hacker doesn't know what the cookie is, and Request can send from any website without limit.

How to make a request?

The easiest way is to send a get request. Attacker sends malicious mail to the user include those links. Using POST requests. The attacker makes a fake form that includes a hidden input element. In this way, the attacker needs to ask a user to visit their website.

How to prevent CSFF?

  1. Follow RESTful conventions. Don't use Get requests that mutate data add CSRF Token to form. Each form has a unique value, Verified on the server-side.
  2. Make sure the request is sent from your domain. Validate Request Origin: Modern browsers send an Origin header, which cannot be altered by JavaScript: Set token in Htttp header: Read token from localStorage and set in the header. because localStorage saved per origin

HTTPS downgrade attack

Downgrade attack is part of a man-in-the-middle (MITM) attack. The Initial request sends over HTTP; the server sends back 301 code redirect to HTTPS. The attacker sends over HTTPS to server, sends over HTTP to the client. From server's perspective, connection is secure.

How to defense?

  1. CSP: upgrade-insecure-requests header tell browser any link using HTTP as if it uses HTTPS
  2. Strict-Transport-Security tells the browser this site can only be accessed using HTTPS.
All articles written with ❤ by apSomething using Gatsby, Emotion, and hosted with cloudflare pages.