happens when user provided data is poorly or not validated at all. happens when the client is manipulated to send unexpected params to the backend. backend must avoid at all cost to use data in db requests or other operations if needed, data should be filtered and validated on the server side, better yet parametrized, or at the bare minimum, escaped properly
headers and env vars are possible vectors of attack
happens when the app doesn't enforce security practices around passwords hass no token invalidation mechanism, doesn't guard agains brute force attacks, uses known-bad practices around user session like personal questions, doesn't use 2fa, doesn't properly encrypt and salt passwords in the backend, or ships with powerful admin accounts that could be easily compromised
limit data exposed to unauthed parties, use same messas in all endpoints. Implement rate-limit implemente login-fail limit, notify staff on suspicios auth activity
instead of attacking encrypted or at-rest data, attacker sniffs data in transit or retrieves poorly encrypted datasets that are then brute forced thru, or a rainbow table is used. avoid clear text internet traffic, even among backend systems. encrypt all sensitive data pay close attention to data being transmitted.
discard sensitive data if possible, so it can't be stolen. disable caching of sensitive requests https everywhere
XML based vuln, allows a custom URI do be evaluated as the XML is parsed. happens when XML is used in older parsers, outdated parsers are used or untreated data is concatenated to XML
update XML deps or avoid XML prefering JSON or YML. sanitize and validate XML handled in server.
Allows users on unathorized users to bypass access control and perform activities they shouldn't be allowed to. User performing admin tasks, non user performing user tasks, exposing sensitive API routes.
Deny by default, enforce record ownership and disallow actors to modify any record, API protections, invalidate tokens on logout
Default password and accounts, known bugs unpatched, old version of software, extra software or services unused deployed, error messages with exploitable info.
Effective configuration and maintenance of the infra, keep components up to date, harden system to not expose exploitable information, automated verification and processes, segmented app architecture where one component doesn't compromise another
Attacker is able to modify stored data that is then consumed by the application to gain privileges or inject code, like manipulating a JWT token, cookie or payload in general.
Avoid deserialization from strings, monitor or isolate it. Integrity checks on data.
Components or dependencies have flaws of vulns that go unfixed and ended being exploited.
Keepinng software up to date, effective cycle of updating and patching components, monitoring for flaws or unmaintained software.
Important or sensitive actions should produce logs for delayed forensics analysis. Warnings and erros should be acted uponn and not ignored.
Monitor relevant events in the correct format, persist data for a decent amount of time. Have a plan
serializes (escapes) most DOM strings by default, careful when doing SSR. use serialize-js lib by yahoo to escape any html tags in the code that may be there. You're not using react to create the string when doing SSR
Exploits the trust a site has on the user. Normally involves a form and causes the user to send an unintended request to the server. Because the user sent the request, all auth data on it is valid. Can be prevented using a non-js method of having a hidden input on forms with a token, or checking the referrer header on requests.
Allows code injection to run in a client. Can be persistent or non persistent. The persistent version saves the code in the db, while the non persistent simply runs once. Code injected can steal cookies to hijack sessions, or modify the page to steal information. Fixes include proper sanitization of any strings displayed or the url bar, the server could detect simultaneous login and invalidate that, website could require authentication to change billing info, or don't display that info at all in the website, session cookie could have httpOnly flag to prevent js access to it. Proper HTML escaping when displaying content.
used to have XSSS breaches: http://reidocrime.com