While working on frontend security projects, I encountered Secure - here's what I learned.
Have questions? Feel free to ask in the comments section below.
正文
Secure coding in JavaScript
JavaScript is the front-end of the entire internet. Because JavaScript is so prolific, it’s a prime target for attackers.
Credit: Alexandra Francis
JavaScript is the front-end of the entire internet. Whether you transpile TypeScript down into JavaScript, create fast little node.js scripts, or build a beautiful-but-dumb front end that calls a much more interesting collection of APIs, it’s literally everywhere. Because JavaScript is so prolific, it’s a prime target for attackers. In this article we will cover ten tips for writing more secure JavaScript.
1. Cross-site scripting
The number one item to discuss when it comes to JavaScript security is always cross-site scripting (XSS). Cross-site scripting is a form of injection; it means an attacker has confused your application into either interpreting or executing their malicious code instead of treating it as data. User input should always be treated as data, but unfortunately computers can be fooled if we are not careful.
XSS is the one type of injection that works only in JavaScript. It is also the only type of injection that attacks the user directly, by taking control of the browser and using it against the victim. All other types of injections do not attack the user; for instance, SQL injection attacks the database server, command injection attacks the host operating system that the system is running on, and LDAP injection attacks the LDAP server. You get the picture.
With XSS, an attacker can use the browser to access your cookies (including your session information, if you have stored it inside your cookie in an insecure way), external scripts (if you haven’t locked that down using Content Security Policy), install a keylogger, vandalize your website, etc. Anything that JavaScript is cable of doing, an XSS attack can also do; the only limits are an attacker’s imagination.
Although instances of XSS have declined over the years, thanks to various forms of awareness and education (such as
The OWASP Top Ten Risks to Web Apps
), newer JavaScript frameworks performing output encoding automatically, and teams taking security more seriously than ever before, it is unfortunately still a high risk problem.
To eliminate your chances of having XSS affect your applications, perform the following actions:
Perform input validation on all user-supplied or user-modifiable data. After you perform input validation, if you have to accept potentially hazardous characters (such as , ‘, “, -, etc.) you should protect your application by either escaping them (adding a backslash in front) or sanitizing them out (literally replacing them with another character or just removing them altogether).
Perform output encoding on anything that will be displayed to the screen, including anything that might be displayed (for instance if you are returning something from an API that you know will be displayed by your front end). If you can have your framework do this work for you, that’s the easiest and often most effective way to ensure you do this correctly. Output encoding can become quite complicated, especially if you are doing inline JavaScript. No one wants to do nested encoding!
Use the Content Security Policy header (CSP) to list all of the third-party components that you will allow as part of your app, especially scripts. The first thing a malicious XSS attack will do is try to call out to another, much larger, malicious script on the internet. Most fields only allow 50 or 100 characters, which is not a lot of space to write code for an attack. If they are able to call out to a malicious site on the net, then call a much longer script, your increase the risk exponentially.
More Details
There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.
Due to length constraints, I'll wrap up here. More practical examples coming soon. Leave a comment if you have questions!
Reference: Secure coding in JavaScript - Stack Overflow
