JavaScript
Client-side JavaScript can, of course, be accessed without requiring any privileged access to the application, enabling you to perform a security-focused code review in any situation. A key focus of this review is to identify any vulnerabilities such as DOM-based XSS, which are introduced on the client component and leave users vulnerable to attack (see Chapter 12). A further reason for reviewing JavaScript is to understand what kinds of input validation are implemented on the client, and also how dynamically generated user interfaces are constructed.
When reviewing JavaScript, you should be sure to include both .js
files and scripts embedded in HTML content.
The key APIs to focus on are those that read from DOM-based data and that write to or otherwise modify the current document, as shown in Table 19.12.
Table 19.12 JavaScript APIs That Read from DOM-Based Data
API | Description |
document.location
document.URL
document.URLUnencoded
document.referrer... |