What are the main security threats of SPAs and how to avoid them?
What are the main security threats of SPAs and how to avoid them?
How to implement authorization in SPA? For example, if an user tries to access a page for which he/she doesn't have rights, redirect user to an error page?
I haven't faced this one but always thought that it is possible.
Type:
XSS with other combinations of attacks like MITM
Case:
Most of the SPAs (will) have dynamic content loading and this dynamic content will follow some structure and rest is a script. I think that is possible to tap into those requests and send a malicious response to the client. The client will end up executing the malicious response and might give a wide area for more attacks.
Possible Solution:
The use of hashes and nonce can help in mitigating this type of threats.
And rest is explained by Jos Fabre about the threats to API. Primarily API is needed to be hardened.
These days JWT is used for authentication and authorization. But the structure of JWT can allow you to learn more things about API and possibilities. jwt.io
Or same JWT can be used to fire more requests on user's behalf as JWT enabled APIs don't have a session but JWT is the representation of auth state.
Pankaj Patel
Blog, Tech, Photography etc.
I haven't faced this one but always thought that it is possible.
Type: XSS with other combinations of attacks like MITM
Case: Most of the SPAs (will) have dynamic content loading and this dynamic content will follow some structure and rest is a script. I think that is possible to tap into those requests and send a malicious response to the client. The client will end up executing the malicious response and might give a wide area for more attacks.
Possible Solution: The use of hashes and nonce can help in mitigating this type of threats.
And rest is explained by Jos Fabre about the threats to API. Primarily API is needed to be hardened.
These days JWT is used for authentication and authorization. But the structure of JWT can allow you to learn more things about API and possibilities. jwt.io
Or same JWT can be used to fire more requests on user's behalf as JWT enabled APIs don't have a session but JWT is the representation of auth state.