Frontend Scrapbook

Notes that make a difference

category: Web Security

Securing 3rd party scripts

By admin on Mon Aug 17 2020

Recommendations are Reproducible builds, with a lockfile Use LTS versions where you care less about bleeding edge features Tests that assert only expected requests are sent out Use Subresource Integrity attributes on script and link tags <script integrity=“sha256-oqVuAP” crossorigin=“anonymous” src=“core.js”></script> crossorigin=“anonymous” means do not send over cookies with request. Hash value is generated from the […]

Clickjacking

By admin on Mon Aug 17 2020

It’s a UI redress attack. Can be used to capture keystrokes as well. It makes use of iframes and position on top of UI and hide, thereby giving an illusion to user and tricking the user to perform an action like click. Stopping ClickJacking : X-Frame-Options HTTP response header X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-FRAME-OPTIONS: ALLOW-FROM […]

CSRF

By admin on Sun Aug 16 2020

Takes advantage of the fact that cookies ( or badic authentication credentials ) are passed along with requests. <img src = ‘http://bank.com/transfers?from=12&to=18&amount=100 /> Above url can perform a get request and is one of several reasons to align with REST conventions. HTML forms are another vector which can be hidden in a landing page and […]

XSS

By admin on Sun Aug 16 2020

An injection attach that allows attacker to read data, or perform operations on user’s behalf. There are 4 types of Cross-Site scripting attacks Stored XSS – eg, some script being stored in database. Reflected XSS – transient response ( a validation error for eg ) from the server causes script to execute. DOM based – […]