OWASP is the short form for Open Web Application Security Project, which concentrates on finding the security vulnerabilities or the possible attacks can cause problems to applications.
One of the major topics around this is Content Security Policy.
Content Security Policy
CSP is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
There are three types of XSS
- Stored XSS
- Reflected XSS
- DOM Based XSS
DOM Based XSS
is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser used by the original client side script, so that the client side code runs in an unexpected manner. That is, the page itself does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
To fix the DOM Based XSS we use encoder’s methods, majorly used are
See the Pen ESAPI by shyam (@shyam_kumar) on CodePen.dark
Other risk which front-end developers take without their knowledge is using the 3rd party libraries from CDN.
The invocation of 3rd party JS code in a web application requires consideration for 3 risks in particular:
- The loss of control over changes to the client application.
- The execution of arbitrary code on client systems.
- The disclosure or leakage of sensitive information to 3rd parties.
It is always good to download the files and include as part of project and to make sure the library is not doing any calls to outer APIs.