security | privacy | web dev

Key Threat

Hi, I'm Simon Bell, a Web Developer and Security Consultant. Key Threat is where I write about security, privacy, and web development.

OWASP Top 10: Cross-Site Scripting (XSS) (A7:2017)

24th May 2021 ‧ 8 min read ‧ Web Application Security

Picture of a bridge crossing a river (to represent cross-site scripting)

A cross-site scripting vulnerability (also known as XSS) occurs when a web app allows a user to insert their own code into a webpage that can be seen by other users. The attack happens when a malicious user is able to insert malicious code into the web app. For example: an attacker could add some malicious JavaScript code that would render on other users' browsers. The malicious code could access victims' cookies to carry out a session hijack attack.

Such attacks circumvent the same origin policy of websites, which is designed to stop different websites from sharing data -- keeping them separate. XSS attacks usually allow a malicious user to masquerade as another user and perform actions under that user's account. This can be particularly dangerous if an attacker is able to masquerade as a user with privileged access, such as admin.

A cross-site scripting attack inserts malicious JavaScript code into a webpage. When a victim visits the infected website, they're exposed to the malicious code. Once inside the vulnerable application, the attacker can compromise users' interactions with the application. This might involve session hijacking, sensitive data exposure, etc.

OWASP Top 10: Broken Authentication (A2:2017)

24th May 2021 ‧ 8 min read ‧ Web Application Security

Picture of an unlocked (open) padlock on a door

Broken authentication covers numerous vulnerabilities whereby an attacker impersonates a legitimate user. A broken authentication attack typically exploits a weaknesse in two main areas: session management and credential management.

Session management involves keeping track of a user's session as they move around a website. Let's say Alice logs into her bank then navigates to her accounts overview page. She then navigates to the send money page. The bank's server tracked Alice's session across those pages, keeping her logged in. But if someone else, say Mallory, hijacked Alice's session, then Mallory could impersonate Alice.

Credential management involves how users are authenticated to a website. The majority of websites authenticate uses through a username and password. The username identifies the individual user (e.g. Bob) and the password (known only by the user - in theory) verifies the user. But what happens when someone other than Bob -- say, Mallory -- knows Bob's username and password? Well, Mallory could impersonate Bob.

What is an Intrusion Detection System (IDS)?

16th September 2020 ‧ 2 min read ‧ Network Security

Security guard standing watch.

An intrusion detection system (IDS) monitors network traffic or system information for suspicious activity. Once an IDS discovers a potential intrusion, it typically sends the information to a security information event management system (SIEM) for suitable alerting, logging, etc.

Some IDSs can automatically respond to detected intrusions upon discovery. These are known as intrusion prevention systems (IPS).

OWASP Top 10: Insufficient Logging and Monitoring (A10: 2017)

2nd September 2020 ‧ 3 min read ‧ Web Application Security

Picture of CCTV cameras on a wall (represening monitoring)

What is an attacker's primary objective? To break into your website. What is an attacker's secondary objective? To not get caught. Attackers rely on a lack of monitoring and slow responses to achieve their goals, go undetected, and carry out further attacks.

Many attacks go unnoticed for a long time. Leaving opportunities for attackers to carry out further damage -- or even cover up their tracks. Insufficient logging, monitoring, and incident response plans can all contribute to the amount of damage caused by -- and the time taken to recover from -- an attack.

OWASP Top 10: Using Components with Known Vulnerabilities (A9:2017)

26th August 2020 ‧ 3 min read ‧ Web Application Security

Picture of a broken egg with smaller eggs inside

Web applications often make use of existing libraries and frameworks. This makes development easier since common functionalities can be re-used to save time.

For example: React is a popular front-end JavaScript framework/library that allows developers to create complex front-end applications more easily than using just vanilla JavaScript.

If an attacker can find a vulnerability in such a library then it can have wide-spread and significant implications - since the library may be used by millions of web applications.

OWASP Top 10: Insecure Deserialisation (A8:2017)

19th August 2020 ‧ 3 min read ‧ Web Application Security

Picture of a large box and a small box (to represent deserialisation)

Many web applications serialise and deserialise data -- a process that's useful for transforming data objects from the application into formats for other purposes, such as transferring over a network.

Think of serialising as a bit like when you move house. You pack all your items into boxes (serialising), transport the boxes via a removal company (transfer over a network), then unpack everything at the other end (deserialising).

An insecure deserialisation attack is like having the removal staff tamper with your contents before they arrive and get unpacked.

A web application might want to transfer one of its data objects (such as a customer object) to another service via API. The application does this by transforming its native data object into a serealisation format suitable for the API. The most common serealisation formats within web applications are JSON and XML.

Up arrow Back to top