31-days-of-API-Security-Tips

Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty

Attacks are the techniques that attackers use to exploit the vulnerabilities in applications. Attacks are often confused with vulnerabilities, so please try to be sure that the attack you are describing is something that an attacker would do, rather than a weakness in an application.

innerHTML is a JavaScript tag whos property is used for DOM manipulation. More specifically, it "sets or returns the HTML content (the inner HTML) of an element." Ordinarily, this property is used to examine the current HTML source of the page, including any changes that have been made since the page was initially loaded. But, it can also be used for Cross-site Scripting(XSS).

A JavaScript Polyglot is a Cross Site Scripting (XSS) vector that is executable within various injection contexts in its raw form, or a piece of code that can be executed in multiple contexts in the application. So, a JavaScript polyglot can be multiple things at once, like a JavaScript/JPEG

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

How to secure your cookies in ASP.NET and MVC, using Secure and HttpOnly attributes. Also learn about Cross-site tracing and Cross-site request forgery.

Nowadays, people are worrying to use the internet due to website security. Internet theft is increasing day by day. Users are trying to mislead the internet in recent years. So it is the developer’s responsibility to the internet well and we don’t want to make the way to malicious activities to take place in our own/undertaking applications.

Over the last few months, some implementations of JSON Web Tokens (JWTs) that have ultimately led to compromise of the web application. Some scenarios include, stealing admin tokens through XSS (detailed in this blog) and forging claims during account registration to create standard accounts with admin privileges.

This article should help you in choosing the right security for your browser-based Javascript or Typescript applications.