Foundation: Optimization & Security Flashcards
What is inline Caching?
Inline caching relies upon the observation that repeated calls to the same method tend to occur on the same type of object.
What is eval()?
Eval is evil.
Eval is to run the code and javascript syntax using eval function,eval("2 + 3")
results in 5. It’s not recommended to be used.
eval() function is potentially dangerous and is often misused.
Using eval() on untrusted code can open a program up to several different injection attacks.
Eval can result in DOM-based XSS
What is cross-site scripting (XSS)?
Cross-Site Scripting (XSS) attacks are an injection in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser-side script, to a different end user.
What is DOM-based XSS?
DOM-based XSS is more severe than ordinary XSS attacks
Since such scripting cannot be filtered through a web-application firewall (WAF).
Vulnerable JavaScript sources that can be exploited for a DOM-based attack include the following:
Location-based, such as location, location.href, document.URL and so on.
Client-side storage based. For instance, it could be document.cookies, sessionStorage and localStorage.
Navigation-based, such as navigation.referrer, window.name, history et al.
Cross-domain functions.
What is Cross-domain information leakage?
JavaScript has cross-domain functionality that allows sites to load multiple objects from various sources (widgets or iframes, among others).
HTML5 has increased JavaScript’s cross-domain access with the cross-domain XML request function.
Prior to HTML5, cross-domain requests were handled using JSON callbacks.
What is CSRF?
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious website, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated.
The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests.
The token should be:
Unpredictable with high entropy, as for session tokens in general.
Tied to the user’s session.
Strictly validated in every case before the relevant action is executed.
What is CORS?
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
What is CSP?
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
Header “Content-Security-Policy”
In Nginx in server
add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’ www.google-analytics.com ajax.googleapis.com;
What is clickjacking?
Clickjacking is an attack that fools users into thinking they are clicking on one thing when they are actually clicking on another.
The attack is possible thanks to HTML frames (iframes), an attacker can cover the original web page with a hidden, transparent layer with its own JavaScript and UI elements.
X-Frame-Options and Content Security Policy (CSP) headers are few ways to stop clickjacking
X-Frame-Options
X-Frame-Options HTTP header. It allows an application to specify whether frame use is simply denied, via the DENY value, or the use of frames is allowed, by the SAMEORIGIN or ALLOW-FROM values. Mainstream modern browsers do support this header option, but other browsers may not.
Possible X-Frame-Options:
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
What coercion in JS?
It is the mechanism JS has to try and force the types of variables when you’re using several together, and they’re not particularly compatible.
Example: 2 + ‘2’
Using typescript can prevent this from an extinct.
It’s not recommended to use coercion in operation.
Another very common operator that is significantly affected by type coercion is the == operator. In javascript it has to be replaced with ===
What is var?
var only had 2 scopes: functional or global.
var is that it would not yield an error if you redeclared an existing variable
The current and more refined alternative is to use either let or const
What are the difference between var, let and const?
Scoping rules
Variables declared by the var keyword are scoped to the immediate function body (hence the function scope), while let variables are scoped to the immediate enclosing block denoted by { } (hence the block scope).
Hoisting
While variables declared with var keyword are hoisted (initialized with undefined before the code is run), they are accessible in their enclosing scope even before they are declared.
Creating global object property
At the top level, let, unlike var, does not create a property on the global object
Redeclaration
In strict mode, var will let you re-declare the same variable in the same scope while let raises a SyntaxError.
Const:
It’s similar to let. const declaration, therefore, must be initialized at the time of declaration.
const object can be modified by using object key.
Differences between arrow function and normal function?
Arrow functions don’t have their own context