OWASP is the short form for Open Web Application Security Project, which concentrates on finding the security vulnerabilities or the possible attacks can cause problems to applications.
In this article I concentrate on how the front-end or the HTML5 and javascript vulnerabilities can be taken care.
One of the major topics around this is Content Security Policy.
Content Security Policy
CSP is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
There are three types of XSS
- Stored XSS
- Reflected XSS
- DOM Based XSS
DOM Based XSS
is an XSS attack wherein the attack payload is executed as a result of modifying the DOM environment in the victim’s browser used by the original client side script, so that the client side code runs in an unexpected manner. That is, the page itself does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
To help developers overcome these vulnerabilities OWASP has been working on a project called ESAPI(Enterprise Security API). This project also has a javascript version to help front-end developers called “ESAPI4JS”.
ESAPI Contains:-
- Encoder
- httpUtilities
- locale
- logFactory
- logger
- properties
- resourceBundle
- validator
To fix the DOM Based XSS we use encoder’s methods, majorly used are
- encodeForHTML
- encodeForCSS
- encodeForJS = encodeForJavaScript = encodeForJavascript
- encodeForURL
- encodeForHTMLAttribute
- encodeForBase64
See the Pen ESAPI by shyam (@shyam_kumar) on CodePen.dark
Other risk which front-end developers take without their knowledge is using the 3rd party libraries from CDN.
The invocation of 3rd party JS code in a web application requires consideration for 3 risks in particular:
- The loss of control over changes to the client application.
- The execution of arbitrary code on client systems.
- The disclosure or leakage of sensitive information to 3rd parties.
It is always good to download the files and include as part of project and to make sure the library is not doing any calls to outer APIs.
Another major common issues with javascript is the values of the properties of an object can be easily modified at the client level, which may allow the attacker to change the request / response. To have control over javascript objects use Object.defineProperty() or Object.defineProperties().
Refer:-
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/defineProperty
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/defineProperties