Published on November 17, 2022 by PreEmptive Team
→ Vulnerabilities in Source Code
Other vulnerabilities include developers’ widespread use of libraries and software packages in the application code. There can be potential hidden vulnerabilities in the packages, which hackers can use to exploit the code later on.
→ Cross-Site Scripting (XSS) Vulnerability
XSS attacks allow web applications to accept unintended or untrusted scripts on a webpage without proper validation.
The XSS attack involves the hacker interacting with the user through reverse engineering or requesting them to visit a particular page. Next, the browser executes the untrusted script, and the attack completes successfully.
→ Server-Side Injection Vulnerability
The applications that usually pass string functions like setTimeout(), eval(), and setInterval() are more vulnerable to injection attacks. An attacker can create an id string parameter to retrieve all tables from the database or write in the database.
→ Hijacking Session Data
1. Conduct Regular Scans on Your Code
Audit your application code regularly to find potential vulnerabilities. In addition, write test units to ensure your code behaves as you want it to and executes securely.
Also, use scanning tools to regularly scan your application code and identify potential vulnerabilities in third-party libraries and packages. So, you can remove them before they can be exploited. Do a regular patch and update your libraries.
2. Perform Proper Input Validation
To prevent XSS attacks, perform proper validation and sanitization of user input to ensure it only consists of acceptable characters. For example, you can allow the phone number field to include only numbers and a dash or parentheses.
Don’t allow unexpected character input. Use methods such as innerText, a secure way to manipulate DOM. This method escapes malicious content, thus preventing DOM-based XSS attacks.
To prevent malicious SQL injections, you must also perform input validation. If it fails the test, the SQL query won’t be executed. Another way to deter potential injection attacks is to replace concatenations with prepared statements or parameterized queries.
Basically, the parameterized queries can extract the SQL syntax from the input parameters.
3. Escape or Encode Insecure Data
This enables the hacker to get out of the text field and provide extra browser-side code for execution. To prevent this type of attack, any time your browser-supplied user input returns a response, replace the special characters with an escape code.
For instance, replaced the < and > characters to delimit HTML entities with < and >. This will prevent the browser from interpreting these characters as HTML entities, forcing it to display them.
4. Secure Cookie Transmission
It is a bad security practice to expose session IDs in logs, error messages, or URLs. This causes issues like session hijacking, fixation, and cross-site request forgery (CSRF). The CSRF attack tricks the browser to execute malicious requests to other websites in the background by using the clients’ session cookies.
A technique to prevent this kind of attack is to introduce tokenization for client-server interaction. Upon establishing a session, a token must be generated for each form on the site and sent with each request while the user is present on the website.
Another way to secure cookie transmission is to use HTTP-only cookies. This attribute won’t allow the browser to provide access to cookies through DOM. It will also prevent client-side script attacks from accessing session IDs from the cookies.