CRV2 ClientSideCodeJScript

De OWASP
Saltar a: navegación, buscar

Three points of validity are required for Javascript codes:

  1. Have all the logic server-side, Javascript is only the butler
  2. Check for all sorts of XSS DOM Attacks
  3. Check for insecure Javascript libraries and update them frequently.


Javascript uses strings to create DOM elements. This can lead to XSS attacks. All input should be sanitized before being converted to DOM objects.

Javascript libraries are not prone to attack. Most of them have flaws in them, recent jQuery flaw (evaluating the document.location.hash, allowing XSS to be embedded after # in location) caused Drupal (which is generally a safe system) to allow admin user creation for attackers!