OWasp AJAX Security Cheat Sheet

Question 1

Client Side

What should be used instead of .innerHTML to prevent XSS problems?

Answer 1

Use .innerText, as it automatically encodes the text.

Question 2

Client Side

Why should eval() or similar code evaluation tools be avoided?

Answer 2

eval() is considered harmful and usually signals a design problem.

Question 3

Client Side

What does canonicalizing data to the consumer involve?

Answer 3

Encoding data before use to preserve logical meaning and prevent injection issues.

Question 4

Client Side

Why is proper encoding important when building outputs like HTML, CSS, or JSON?

Answer 4

To ensure data is secure and retains its intended logical meaning.

Question 5

Client Side

Why should client-side logic not be relied upon for security?

Answer 5

The user controls client-side logic and can manipulate it using browser plugins or other tools.

Question 6

Client Side

What must be done with business logic to prevent bypasses?

Answer 6

Duplicate all critical business rules/logic on the server side.

Question 7

Client Side

Why should writing serialization code be avoided?

Answer 7

Even a small mistake can lead to major security issues, and there are existing frameworks for this purpose.

Question 8

Client Side

How should XML or JSON be built to prevent injection bugs?

Answer 8

Avoid building them dynamically or use encoding libraries or safe JSON/XML libraries to ensure safety.

Question 9

Client Side

How can XSS and SQL injection be mitigated in data handling?

Answer 9

Encode and validate data properly, using safe libraries and frameworks.

Question 10

Client Side

Why should secrets never be transmitted to the client?

Answer 10

Anything sent to the client can be accessed by the user.

Question 11

Client Side

Where should encryption be performed?

Answer 11

On the server, using TLS/SSL for secure transmission.

Question 12

Client Side

Why should security-impacting logic never be performed on the client side?

Answer 12

To avoid the risk of manipulation or bypasses, keeping security logic server-side ensures better protection.

Question 13

Server Side

What should be used to prevent CSRF attacks?

Answer 13

Implement Cross-Site Request Forgery (CSRF) protection as detailed in the CSRF Prevention cheat sheet.

Question 14

Server Side

How can JSON hijacking in older browsers be mitigated?

Answer 14

Review AngularJS’s JSON Vulnerability Protection mechanism and ensure JSON responses start with an object.

Question 15

Server Side

Why should JSON strings begin with an object?

Answer 15

It prevents exploitation by ensuring responses are not wrapped in an array, e.g., {“result”:[…]} is safe, whereas [{“key”:”value”}] is not.

Question 16

Server Side

Should server-side serialization code be written manually?

Answer 16

No, use an existing library that has been reviewed for security.

Question 17

Server Side

What should be done to input when services are called directly by users?

Answer 17

Validate inputs as though they are under user control, because they are.

Question 18

Server Side

Why avoid manually building XML or JSON?

Answer 18

Manual creation can lead to security issues like injection bugs; use a framework or a safe library instead.

Question 19

Server Side

What should be used to validate web services?

Answer 19

JSON and XML Schema, validated through a third-party library.