JavaScript

Dangerous properties in React are those whose behavior is known to be a common source of application vulnerabilities. The properties names clearly indicate they are dangerous and should be avoided unless great care is taken.

When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.

JavaScript's eval() function is potentially dangerous and is often misused. Using eval() on untrusted code can open a program up to several different injection attacks. The use of eval() in most contexts can be substituted for a better, alternative approach to the problem.

It's considered a good practice to avoid using eval() in JavaScript. There are security and performance implications involved with doing so. However, there are some other ways to pass a string and have it interpreted as JavaScript code that have similar concerns.

It is recommended to use interpolation expressions instead of using v-html as it prevents injection attacks like XSS.

A malicious actor can gain full control over the user's DOM window object. This can lead to phishing attacks such as fake login prompts or password alerts being shown to the user.

Developers often overlook implementing a robust content security policy (CSP), leaving web applications vulnerable to clickjacking attacks that can compromise user privacy and security.

Cross-Origin Resource Sharing(CORS) is a mechanism that enables web browsers to perform cross-domain requests using the XMLHttpRequest API in a controlled manner. It defines the protocol to use between a web browser and a server to determine whether a cross-origin request is allowed. Using *, null or google.com is not a reliable way to ensure security of the application or software.

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. The X-Forwarded-For request header is used to see the original IP address of the client.

If a server makes proxied connections, it is not a good idea to forward user IP addresses using HTTP headers such as X-Forwarded-For or Forwarded

NodeJS has deprecated the Buffer constructor due to the multitude of security vulnerabilities it is affected by, such as Remote Memory Disclosure and Denial Of Service.

We recommend using Buffer.from(), Buffer.alloc(), and Buffer.allocUnsafe() as alternatives, keeping the following points in mind:

• Buffer.alloc(size[, fill[, encoding]]) returns a new initialized Buffer of the specified size. This method is slower than Buffer.allocUnsafe(size) but guarantees that newly created Buffer instances never contain potentially sensitive data. If the size is not a number, then it will throw a TypeError.
• Buffer.allocUnsafe(size) and Buffer.allocUnsafeSlow(size) each return a new uninitialized Buffer of the specified size. Because the Buffer is uninitialized, the allocated segment of memory might contain potentially sensitive data.

Robust cipher algorithms are cryptographic systems resistant to cryptanalysis. They are not vulnerable to well-known attacks like brute force attacks.

A general recommendation is only to use cipher algorithms intensively tested and promoted by the cryptographic community.

More specifically, it's not recommended for a block cipher to use an algorithm with a block size below 128 bits.

Configuring the server to set insecure cookie configurations can lead to attacks like cookie hijacking, information leaks, and session hijacking.

Setting unsafe POSIX file permissions can be insecure and can lead to unintended access to files.

Misconfiguring your application to use unsafe clear text protocols can lead to exposure of sensitive information.

Serving sensitive files such as dotfiles are not recommended as they contains sensitive information.

XXE Injection is a type of attack against an application that parses XML input.

By default, many XML processors allow specification of an external entity - a URI (Uniform Resource Identifier) that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

It is recommended to disable fetching external entities whenever possible.

child_process.exec has a simple API which means it is often the first tool developers reach for when they need to run a subprocess.

It is simple to use; pass in a command string, and it will return an error or the command results.

What happens when the arguments you pass to the command depend on user input?

The obvious solution is to take the user input and build your command out using string concatenation. This can lead to remote code execution bugs in your code.

From the Node.js API docs:

Setting noAssert to true skips validation of the offset. This allows the offset to be beyond the end of the Buffer.

It is recommended to Implement the X-Content-Type-Options header with nosniff value (the only existing value for this header), which is supported by all modern browsers and will prevent browsers from performing MIME type sniffing so that in case of Content-Type header mismatch, the resource is not interpreted.

When using NodeJS and express, policies for HTTPS can be configured through the helmet library. The insecureSubdomains policy determines whether the website will redirect to an HTTPS version when an HTTP one is requested.