The single most common serious vulnerability and how to avoid it

Teo Selenius Senior Security Specialist

Teo Selenius

Senior Security Specialist

June 21, 2021 at 08:13

Teo Selenius works as a cybersecurity expert at Nixu Engineering. He helps IT developers, architects, and other technical personnel in different organizations to build and maintain code that supports application security.

In 2021 Selenius started to keep a blog to keep his findings in order, and to share his discoveries and latest application security trends. Appsecmonkey.com is growing rapidly. The theme is app security and everything you need to know about it.

The single most common serious vulnerability and how to avoid it

Attention developers and product owners!

Cross-site scripting (XSS) vulnerabilities are widespread, and the impact of such an attack can be devastating to your business.

It's crucial then that developers follow good practices to avoid such vulnerabilities. You can read about how XSS creeps into your code and how to prevent it here:
https://appsecmonkey.com/blog/xss.

The good news is that a single browser security control can prevent XSS attacks even when your application is vulnerable, and that is the content security policy or CSP.

CSP gives your web application a set of rules that the browser will enforce. One such directive could be "Don't execute any JavaScript code on this page unless it's specifically allowed with a nonce or hash." This rule would prevent an attacker-injected script from executing on your page.

Read about CSP with runnable examples for different use cases here:
https://appsecmonkey.com/blog/content-security-policy.

Related blogs