💻 easy.advice

What vulnerabilities exist?

👨‍💻 Frontend Developer 🟠 May come up 🎚️ Medium
#Security

Brief Answer

Main vulnerabilities in web applications:

  1. XSS — injection of malicious code 💥
  2. CSRF — performing actions on behalf of user 🎭
  3. SQL injections — malicious database queries 🗃️
  4. Data leaks — unauthorized access 🔓
  5. Insufficient authorization — access without rights 🚫
// Protection examples:
// Data escaping
// Token validation
// Input validation

Full Answer

Vulnerabilities — like holes in a fence: if not closed, intruders will get in! 🏚️🚧

XSS (Cross-Site Scripting) — most common enemy

XSS — like forging a bank letter: malicious code disguised as normal text.

// ❌ Dangerous — no data validation
document.innerHTML = userInput; // If userInput = "<script>data theft</script>"
 
// ✅ Safe — escape data
const safeText = escapeHtml(userInput);
document.innerHTML = safeText;

How it works:

  1. User enters malicious code
  2. Site saves it as normal text
  3. When displayed, code executes!
  4. Steal data or break site

CSRF (Cross-Site Request Forgery) — clever deception

CSRF — like if someone forces you to sign an important document when you don’t want to.

// ❌ Dangerous — no verification who sent
<form action="/transfer" method="POST">
  <input name="to" value="hacker" />
  <input name="amount" value="10000" />
</form>
 
// ✅ Safe — verification token
<form action="/transfer" method="POST">
  <input name="csrf-token" value="unique_token" />
  <input name="to" value="hacker" />
  <input name="amount" value="10000" />
</form>

How it works:

  1. You’re logged into bank
  2. Visit malicious site
  3. Site secretly sends request to your bank
  4. Bank thinks it’s you and transfers money

SQL Injections — poisons for database

SQL injections — like if someone puts poison in soup at a restaurant.

// ❌ Dangerous — insert directly
const query = "SELECT * FROM users WHERE id = " + userId;
 
// ✅ Safe — parameterized queries
const query = "SELECT * FROM users WHERE id = ?";

How it works:

  1. Instead of normal data, insert commands
  2. Database executes these commands
  3. Steal or corrupt all data

Data Leaks — open secrets

Data leaks — like leaving house keys in a visible place.

// ❌ Dangerous — show everything
console.log("Password: " + password); // Visible in console!
 
// ✅ Safe — nothing extra
// Don't log anything

Common causes:

  • Logging confidential data
  • Open APIs without protection
  • Incorrect server settings

Insufficient Authorization — without pass

Insufficient authorization — like if anyone can enter office.

// ❌ Dangerous — no verification
app.get('/admin', (req, res) => {
  res.send('Admin panel');
});
 
// ✅ Safe — check rights
app.get('/admin', checkAuth, checkRole('admin'), (req, res) => {
  res.send('Admin panel');
});

How it works:

  1. Site doesn’t check who entered
  2. Anyone can access closed sections
  3. Steal or corrupt important information

Common Mistakes

Ignore security from start

// ❌ Mistake — "First make it, then think about security"
// Harder to refactor later!
 
// ✅ Correct — think about security from the beginning

Trust all data

// ❌ Mistake — trust all input data
const data = req.body; // May contain malicious code!
 
// ✅ Correct — validate everything
const data = validate(req.body); // Only safe data

Simple Rules

  1. XSS — escape everything you show users 💥
  2. CSRF — use verification tokens 🎭
  3. SQL injections — only parameterized queries 🗃️
  4. Leaks — don’t log secrets and keys 🔓
  5. Authorization — check access rights 🚫
  6. Validate everything — trust but verify 🕵️‍♂️

Security — like seatbelt in car: can save life if something goes wrong! 🚗💨

Want more articles to prepare for interviews? Subscribe to EasyAdvice, bookmark the site and improve yourself every day 💪