Cross-Site Scripting (XSS)
Core Mechanism
XSS vulnerabilities occur when applications trust user-submitted data without proper sanitization. The server processes user input, converts it to HTML elements, and delivers it to clients where malicious scripts execute.
Characteristics
- Stealthy execution with no visible interface
- Theft of sensitive user data (cookies, tokens)
- UI manipulation to trick users into revealing private information
Implementation Examples
Persistent XSS
Malicious scripts persist in database records, affecting all users who view the compromised content.
// Vulnerable implementation
async function saveContent(ctx) {
const { text, recordId } = ctx.request.body;
await database.store({
content: text, // No input validation
id: recordId
});
}
async function displayContent(ctx) {
const result = await database.fetch({
id: ctx.query.recordId
});
// Direct insertion without sanitization
ctx.body = `<div>${result.content}</div>`;
}
When attackers submit <script>alert('XSS')</script>, browsers execute the injected code.
Reflected XSS
Attack payloads originate from URL parameters without database involvement.
// Vulnerable URL parameter handling
async function renderPage(ctx) {
const { userInput } = ctx.query;
ctx.body = `<div>${userInput}</div>`; // Unsafe concatenation
}
Accessing http://site.com/?userInput=<script>alert(1)</script> triggers script execution.
DOM-Based XSS
Client-side JavaScript processes unsafe data without server interaction.
// Client-side vulnerability
const parameter = new URL(window.location.href).searchParams.get('data');
document.getElementById('container').innerHTML = parameter;
Mutation-Based XSS
Exploits browser DOM parsing differences to bypass standard sanitization.
<!-- Appears safe to validators -->
<noscript>
<p title="</noscript><img src=x onerror=alert(1)>">
Cross-Site Request Forgery (CSRF)
Attack Vector
Attackers exploit authenticated user sessions to execute unauthorized actions without user awareness.
Implementation Patterns
<!-- Disguised action trigger -->
<a href="http://bank.com/transfer?recipient=attacker&sum=100">Win Prize</a>
<!-- Hidden image request -->
<img style="display:none" src="http://bank.com/transfer?recipient=attacker&sum=100">
<!-- Transparent form submission -->
<form action="http://bank.com/transfer" method="POST">
<input type="hidden" name="recipient" value="attacker">
<input type="hidden" name="sum" value="100">
</form>
Injection Vulnerabilities
SQL Injection
Unsanitized user input concatenated into database queries enables arbitrary command execution.
// Dangerous query construction
async function fetchUserData(ctx) {
const { userName, formIdentifier } = ctx.query;
const query = `SELECT * FROM accounts WHERE username='${userName}' AND form_id='${formIdentifier}'`;
const results = await db.execute(query);
ctx.body = results;
}
Input like any'; DROP TABLE accounts-- manipulates query logic.
Command Injection
Improper handling of system command parameters enables server compromise.
// Unsafe command execution
async function processMedia(ctx) {
const { file, parameters } = ctx.query;
execute(`converter ${file} ${parameters}`);
ctx.body = 'Processing complete';
}
Malicious parameters like video.mp4 && rm -rf / cause catastrophic damage.
Server-Side Request Forgery (SSRF)
Applications making requests based on user-supplied URLs may expose internal networks.
// Vulnerable callback handler
async function handleWebhook(ctx) {
ctx.body = await fetch(ctx.query.callbackUrl); // Potential internal network access
}
Denial of Service (DoS)
Attack Methodology
Specially crafted requests exhaust server resources, causing service degradation.
Regular Expression Exploitation
Complex regex patterns with excessive backtracking create performance bottlenecks.
// Problematic pattern matching
const inefficientPattern = /^((ab)*)+$/;
const testString = "abababababababab";
// Causes significant computational overhead
Distributed DoS (DDoS)
Coordinated attacks from multiple sources overwhelm target infrastructure.
Defense Strategies
XSS Mitigation
Input Sanitization
- Treat all external input as untrusted
- Avoid direct DOM insertion of user content
- Utilize established sanitization libraries (DOMPurify, Closure Library)
Content Security Policy (CSP)
Restrict executable script sources to prevent unauthorized code execution.
Content-Security-Policy: script-src 'self' trusted-cdn.com
CSRF Protection
Token Validation
Generate unique tokens for each session and validate them with subsequent requests.
SameSite Cookies
Restrict cookie transmission to same-site requests.
Set-Cookie: sessionId=abc123; SameSite=Strict; Secure
Frame Protection
Prevent UI redress attacks with frame options headers.
X-Frame-Options: DENY
Injection Prevention
Parameterized Queries
Use prepared statements for database interactions.
PREPARE userQuery FROM 'SELECT * FROM users WHERE id = ?';
SET @userId = '123';
EXECUTE userQuery USING @userId;
Command Whitelisting
Restrict executable commands and validate input parameters.
DoS Resilience
Resource Management
- Implement rate limiting and request throttling
- Use CDN services for traffic distribution
- Establish auto-scaling infrastructure
Regular Expression Optimization
- Avoid complex nested quantifiers
- Conduct performance testing
- Reject user-supplied regex patterns
Transport Security
HTTPS Enforcement
- Encrypt all client-server communication
- Implement cretificate pinning
- Validate content integrity hashes
Subresource Integrity (SRI)
Verify external resource integrity through cryptographic hashing.
<script src="https://cdn.com/library.js"
integrity="sha384-hashValue"></script>
Security Headers
Configure browser security policies through HTTP headers.
Feature-Policy: camera 'none'; microphone 'self'