If tag with target="_blank" or uses window.open the hacker can replace original tab with opener.location="https://www.evilsite.com"; by opened page.
It can be used in a phishing attack
To fix it add rel="noopener" to and 'noopener' as third argument for window.open(:
window.open('https://www.your.url','_blank','noopener')
Add header Strict-Transport-Security: max-age=31536000; includeSubdomains; preload to make sure that the user once accessed
the HTTPS version of the page will always be automatically redirected to it bypassing requests for HTTP.
Duplicate client and server validations. Do not leave only client validations. Hacker can exploit it with proxy applications (ZAP, Burp Suit etc).
Draw website in iframe with opacity 0 as overlay. Place an iframe so that the user clicks on something inside the iframe, thinking that he is clicking on something on the main site. To protect use X-Frame-Options or Content-Security-Policy headers specifying which sites can put the site in an iframe
Hacker sends request to legit site to change somethig, the request succeeds because the authorization cookie automatically goes with the request. Protect:
- Use
Synchronizer token(also calledAnti-CSRForCSRF token) manually sending (not by cookie) - Do not use HEAD and GET requests to change data.
Update buggy outdated libs that can be vurn for XSS
String from query params uses as HTML in page and may execute JS. Prevent by escape it before insert to HTML.
Secure:
- Escape user input.
- HTTPOnly cookie flag
- Content Security Policy HTTP Header
- X-XSS-Protection HTTP Header
Escape data before insert as HTML
Do not use eval to parse JSON
Use Secure flag for cookies to make sure it will be transfered by HTTPS and not HTTP to prevent sniffing.
Use HttpOnly flag for SessionID cookies to make sure JS will not read it, so XSS vulnerables will not allowed to steal user session.
https://example.com/redirect.php?url=https://attacker.com
Same as DOM XSS in URL.
Saved XSS code on Server side (DB).