Understanding XSS Vulnerabilities in Direct Address Bar Input

Asked 2 months ago, Updated 2 months ago, 4 views

I am creating an Angular-based web application, and when I received a security diagnostic service, I was pointed out to be vulnerable to JavaScript being interpreted and executed by giving "?'>alert(document.cookie)" at the end of the URL.

·In the first place, is it possible to stop using application support?
·If it is possible to stop the vulnerability by setting up a Web server, what kind of countermeasures can be taken?
·I don't set cookie information with an application, but is it still dangerous if cookies are eavesdropped? (Is there important information that you are not aware of in general?)

If anyone knows, please let me know.

javascript angularjs html5

2022-09-30 11:23

1 Answers

Is it possible to stop it with application support?

Yes, it's possible.AngularJS also has several security APIs, so please refer to them.
https://docs.angularjs.org/guide/security

If the vulnerability can be stopped by configuring a web server, what action can be taken?

Because the vulnerability has a layer and XSS is a vulnerability in the web application layer,
Countermeasures must be addressed in a web application.
The server cannot take action.

Is it still dangerous if cookies are eavesdropped even though they are not set in the application? (Is there important information that you are not aware of in general?)

Perhaps the vulnerability is mainly due to the ability to run arbitrary javascripts, just by reading cookies as an example of reporting.Any Javascript can be used to transfer data to other servers, pass unauthorized data to the server, or interact with a browser vulnerability to hijack a user's PC.

The vulnerabilities of web applications are quite wide, so it's hard to ask each question, so let's start with
It has also been shown in IPA.I think it would be good to take a look at the security course.
https://www.ipa.go.jp/security/awareness/vendor/programmingv2/index.html


2022-09-30 11:23

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.