Essential Security Practices for Modern Web Development

Cross-Site Scripting (XSS)

Core Mechanism

XSS vulnerabilities occur when applications trust user-submitted data without proper sanitization. The server processes user input, converts it to HTML elements, and delivers it to clients where malicious scripts execute.

Characteristics

  • Stealthy execution with no visible interface
  • Theft of sensitive user data (cookies, tokens)
  • UI manipulation to trick users into revealing private information

Implementation Examples

Persistent XSS

Malicious scripts persist in database records, affecting all users who view the compromised content.

// Vulnerable implementation
async function saveContent(ctx) {
    const { text, recordId } = ctx.request.body;
    await database.store({
        content: text, // No input validation
        id: recordId
    });
}

async function displayContent(ctx) {
    const result = await database.fetch({
        id: ctx.query.recordId
    });
    // Direct insertion without sanitization
    ctx.body = `<div>${result.content}</div>`;
}

When attackers submit <script>alert('XSS')</script>, browsers execute the injected code.

Reflected XSS

Attack payloads originate from URL parameters without database involvement.

// Vulnerable URL parameter handling
async function renderPage(ctx) {
    const { userInput } = ctx.query;
    ctx.body = `<div>${userInput}</div>`; // Unsafe concatenation
}

Accessing http://site.com/?userInput=<script>alert(1)</script> triggers script execution.

DOM-Based XSS

Client-side JavaScript processes unsafe data without server interaction.

// Client-side vulnerability
const parameter = new URL(window.location.href).searchParams.get('data');
document.getElementById('container').innerHTML = parameter;

Mutation-Based XSS

Exploits browser DOM parsing differences to bypass standard sanitization.

<!-- Appears safe to validators -->
<noscript>
    <p title="</noscript><img src=x onerror=alert(1)>">

Cross-Site Request Forgery (CSRF)

Attack Vector

Attackers exploit authenticated user sessions to execute unauthorized actions without user awareness.

Implementation Patterns

<!-- Disguised action trigger -->
<a href="http://bank.com/transfer?recipient=attacker&sum=100">Win Prize</a>

<!-- Hidden image request -->
<img style="display:none" src="http://bank.com/transfer?recipient=attacker&sum=100">

<!-- Transparent form submission -->
<form action="http://bank.com/transfer" method="POST">
    <input type="hidden" name="recipient" value="attacker">
    <input type="hidden" name="sum" value="100">
</form>

Injection Vulnerabilities

SQL Injection

Unsanitized user input concatenated into database queries enables arbitrary command execution.

// Dangerous query construction
async function fetchUserData(ctx) {
    const { userName, formIdentifier } = ctx.query;
    const query = `SELECT * FROM accounts WHERE username='${userName}' AND form_id='${formIdentifier}'`;
    const results = await db.execute(query);
    ctx.body = results;
}

Input like any'; DROP TABLE accounts-- manipulates query logic.

Command Injection

Improper handling of system command parameters enables server compromise.

// Unsafe command execution
async function processMedia(ctx) {
    const { file, parameters } = ctx.query;
    execute(`converter ${file} ${parameters}`);
    ctx.body = 'Processing complete';
}

Malicious parameters like video.mp4 && rm -rf / cause catastrophic damage.

Server-Side Request Forgery (SSRF)

Applications making requests based on user-supplied URLs may expose internal networks.

// Vulnerable callback handler
async function handleWebhook(ctx) {
    ctx.body = await fetch(ctx.query.callbackUrl); // Potential internal network access
}

Denial of Service (DoS)

Attack Methodology

Specially crafted requests exhaust server resources, causing service degradation.

Regular Expression Exploitation

Complex regex patterns with excessive backtracking create performance bottlenecks.

// Problematic pattern matching
const inefficientPattern = /^((ab)*)+$/;
const testString = "abababababababab";
// Causes significant computational overhead

Distributed DoS (DDoS)

Coordinated attacks from multiple sources overwhelm target infrastructure.

Defense Strategies

XSS Mitigation

Input Sanitization

  • Treat all external input as untrusted
  • Avoid direct DOM insertion of user content
  • Utilize established sanitization libraries (DOMPurify, Closure Library)

Content Security Policy (CSP)

Restrict executable script sources to prevent unauthorized code execution.

Content-Security-Policy: script-src 'self' trusted-cdn.com

CSRF Protection

Token Validation

Generate unique tokens for each session and validate them with subsequent requests.

SameSite Cookies

Restrict cookie transmission to same-site requests.

Set-Cookie: sessionId=abc123; SameSite=Strict; Secure

Frame Protection

Prevent UI redress attacks with frame options headers.

X-Frame-Options: DENY

Injection Prevention

Parameterized Queries

Use prepared statements for database interactions.

PREPARE userQuery FROM 'SELECT * FROM users WHERE id = ?';
SET @userId = '123';
EXECUTE userQuery USING @userId;

Command Whitelisting

Restrict executable commands and validate input parameters.

DoS Resilience

Resource Management

  • Implement rate limiting and request throttling
  • Use CDN services for traffic distribution
  • Establish auto-scaling infrastructure

Regular Expression Optimization

  • Avoid complex nested quantifiers
  • Conduct performance testing
  • Reject user-supplied regex patterns

Transport Security

HTTPS Enforcement

  • Encrypt all client-server communication
  • Implement cretificate pinning
  • Validate content integrity hashes

Subresource Integrity (SRI)

Verify external resource integrity through cryptographic hashing.

<script src="https://cdn.com/library.js" 
        integrity="sha384-hashValue"></script>

Security Headers

Configure browser security policies through HTTP headers.

Feature-Policy: camera 'none'; microphone 'self'

Tags: web-security XSS csrf sql-injection dos-protection

Posted on Sun, 12 Jul 2026 16:55:57 +0000 by johnnyk