Let's consider adding links by binding the href attribute. So, I'm actually talking about user-provided URLs, which could contain wrong Vue directions or JavaScript embed, like here. Cases I could think of in this regard might be connected to phishing, by constructing and entering a URL inside of your application leading to a malicious website, or a reflected course subscription.
So, there's a URL being displayed in the web application. But an attacker will add some JavaScript to the URL. Again, sanitizing will help you a lot in skipping. So, you could think about using libraries such as sanitizeURL to help you. I guess I will put it into a tweet, so you can find it even more, because I see I didn't add a QR code. But do not forget your backend, too, as your backend should always sanitize user-provided URLs before even being saved to a database. And last thing, but still important, be aware that URLs can always navigate to unsafe destinations, even if they are safe destinations at the start. So, it's still the point where you give up control.
Well, next type of injection, style injection, some type which surprised me initially, because I was like, huh, styling with CSS, right? How can this be an attack angle? But there's a point. There's a tech called UI redress attack. Imagine, you have a hidden UI in control. So, an attacker will style. Okay, let's start like an example. You have a login form with like a login button to submit your credentials, and the attacker will style this login button as another transparent box covering this login button. And then, styling a link onto it. So, you will not submit your login credentials to the page you expect, but leading to a fake login page by just having a transparent box above or covering your login button. Redressing, actually. So, with this user-provided styles here, directly supplied, malicious users could still provide CSS to click check. How can we prevent that? Well, we should allow user to only adjust styling in a sandbox or safe way, like having a sandbox iframe, or only allowing full control of CSS inside safe way. It's like in this regard, the user can only set a certain color or only a certain background, all those changes which are not that dangerous, right? So, yeah, there are lots of ways to keep them safe by just limiting the scope where a user can have provided styles.
Of course, there's an attack angle in JavaScript themselves too, which is called JavaScript injections. And there are just some things you shouldn't do in Vue at least, but also when it comes to other frameworks. Because just from a clean code standpoint or like a maintainability standpoint, templates and render functions shouldn't have any side effects because it makes debugging it a nightmare. So, you should avoid having attributes accepting Strings.js. So, it's unclick, unfocus, events, attributes. And the scripts, of course, itself shouldn't be used in any complement. So, those ones should be avoided.
Comments