XSS attacks: concept and protection

 Hey there, I’m sure that you have heard about hacker’s attacks 😈and security problems. And you may noticed that the demand for security expert is growing. 💲💲

So let’s discover a security threat should be known for each web developer.😀

 It’s called XSS (cross site scripting) attack.

Before you can protect yourself you had to understand the concept.

Those attacks are mainly used in input fields and forms.

Let’s imagine our app is related to a server and a database. What if you right a java script code instead of data in input fields? ❓

This code will go as data to the backend and then when we try to read it … yes, it will be executed, the launcher of the attack will have the ability to determine what this code will do! Of course there are plenty of ideas.

we are lucky modern  browsers are aware of this threat. So scripts from innerHTML won’t be executed.

 But, there are other patterns to launch this attack and  they may work!😨

So how to defend against?   

You should sanitize your backend!

Sanitizing means to check the type of your content. If you are waiting for a string you don’t want to get a URL or a script!

 If you are using node, there are different packages.

Also you can protect on the client side. If you are using frameworks or library for the frontend. They contains a built-in escaped html😍.

 So the malicious code won’t be executed. 

But that doesn’t mean not to sanitize on the server.😉

One last thing, when using packages in your project, try to use npm audit to fix probable security risks. 

It doesn’t mean that the creator of the package wants to hack you, maybe he made a merge to a malicious code.😓

So those are basically how to face xss threats.

Happy coding.😀