–> It is also known for its “Interactive elements.”
The programming language has functions, variables, and even objects having global scope.
This is very much what attackers would need to redefine functions, change variables, override native methods, access cookies, monitor keystrokes, transmit the data, and whatnot completely unauthorized.
Cloud, where the entire information is usually stored nowadays gets ZERO protection from JS.
1. Snoop self-censorship – An uncalled for the occurrence was reported back in 2012 when some researchers had collected data from nearly 5 million users on Facebook across the UK and the US.
These researchers were intending to know more about everything a user had typed and deleted before posting it on the Facebook wall.
The situation beyond doubt has and will raise concerns about the protection of much-needed privacy of its end-users. The most worrisome part about the entire scenario was the use of JS to snoop about people’s private data.
Cross-Site Scripting vulnerabilities enable attackers to manipulate websites to return malicious scripts to visitors. This all occurs when attackers deliberately embed malicious JS code that executes in the user’s web browser.
Hackers can then have easy access to sensitive information such as user’s finances. Cross-Site scripting has an inexplicable potential to multiply viruses and malware. Furthermore, it has been found to cause search engine poisoning.
Through the cookies that are stored in your system, it is very much possible for companies to know every single website you have visited.
Can we call it a violation?
1. Protection against XSS –
Cross-Site Scripting attacks is one of the major OWASP security risks. Using this exploit, attackers can get access to secrets stored in LocalStorage, SessionStorageor even cookies.
OWASP recommends never to store sensitive information in these storages. Once the attackers manage to read them, they can potentially impersonate the attacked user account.
2. How to store passwords? –
Never ever store your password in plain text or without salt. Without salt, your passwords can be reversed using Rainbow tables. Use of Bcrypt or Scrypt to salt your password is recommended.
For Database passwords, a couple of tools you can use are git-crypt, git secret.
Also, you may use VAULT. Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing.
3. Protection against Cross-Site Request Forgery CSRF –
It is an attack vector which exploits the way HTTP requests are sent from the browser. Unprotected Forms like user updates, URL which calls the action of the form, Password reminders, these could be the CSRF attacks.
For secure apps, one must add synchronizer (CSRF) tokens as a hidden input field in forms. The server rejects the request action if the token fails validation.
Planning to develop a Secure Web or Mobile Application. Let’s talk
What do we do at Wildnet Technologies?
Our development experts have in the past dealt with JSON Hijacking, DNS attacks, Sandbox holes, and many more by anticipating the perfect conditions for them to occur.
Need help ! Contact Us