Cross-site scripting (XSS)
The Reserve Bank in New Zealand was the victim of a recent hack where personal and commercial bank data was compromised due to XSS vulnerabilities.
Cross-Site Request Forgery (CSRF)
In Cross-Site Request Forgery or CSRF attacks, a user’s session cookie is hijacked in order to impersonate their browser session. With CSRF, attackers can easily trick users into executing malicious code or taking unauthorized actions on the website or the application.
The most common way of initiating a CSRF attack is by finding all the unprotected form elements present on a web page and injecting malicious code through it. Hackers can use CSRF to update the email address of a user on the website and then request a password change in order to take over their account. To avoid this, developers should add a CSRF token to all the forms on their website.
Glassdoor was found to have a site-wide CSRF bug of a 9-10 severity score. The vulnerability, if exploited, could give hackers access and editing permissions to jobseeker profiles and employer accounts. Luckily this vulnerability was discovered by a bug bounty researcher and quickly fixed by the company before it could lead to any damage.
Orbit Fox is a multi-featured WordPress plugin which works with Gutenberg and Elementor to add site-building capabilities. Used and installed by over 400,000 websites, it was found to have two major vulnerabilities that could allow hackers to inject malicious code in the websites that had the plugin installed and take control of them.
When developers introduce outside API on the client-side, it can often make the application more vulnerable to outside attacks. In cases like these, poor web development practices are usually to blame. Moreover, client-side browser scripts have access to all the content that is returned by the web app directly to the web browser which can include cookies with sensitive data like user session IDs. This can in turn lead to hackers trying to hijack user sessions and probe for sensitive user data.
Adopt Runtime Application Self-Protection (RASP)
Runtime Application Self-Protection is a technology which is designed specifically to detect attacks on an application in real-time. It analyzes both the app’s behavior and the overall context of the behavior in order to protect it from any malicious attacks. Since RASP continuously monitors the app’s own behavior, it becomes easier to identify and mitigate any issues in real-time without any manual human intervention.
Avoid using the eval() function
Encrypt with SSL/ HTTPS
Encrypt data on the client and the server-side to make your application more secure. That means, even if hackers get access to your data, it will be in encrypted form and unusable to them. At the same time, you should also set the cookies as secure to limit the use of your application cookies to secure and encrypted website pages only.
Focus on API Security
Here are some of the vulnerability scanning tools that you could use
Developed by security authority OWASP, ZAP, or Zed Attack Proxy can scan your website for numerous vulnerabilities at the same time. It can be customized according to your requirements and it offers an easy to use intuitive interface.
With Wapiti, you can test attack as well as injection vectors by using POST HTTP and GET Requests. It can detect file inclusion, file disclosure, weak apache configurations, XSS attacks, and more. It is important to note that this is an advanced tool that needs to be executed through the command line