Vulnerability Assessment
2026-04-24•9 min read•Saul Vo
securityscanningtestingvulnerability
Vulnerability Assessment
Mục lục
- Vulnerability Categories
- Assessment Methodology
- Frontend-Specific Vulnerabilities
- API Security Assessment
- Authentication Security Assessment
- Common Vulnerability Patterns
- Risk Scoring
1. Vulnerability Categories
OWASP Top 10 (2021)
┌─────────────────────────────────────────────────────────────────────┐
│ OWASP Top 10 (2021) │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ A01: Broken Access Control │
│ A02: Cryptographic Failures │
│ A03: Injection │
│ A04: Insecure Design │
│ A05: Security Misconfiguration │
│ A06: Vulnerable Components │
│ A07: Authentication Failures │
│ A08: Software Integrity Failures │
│ A09: Security Logging Failures │
│ A10: Server-Side Request Forgery │
│ │
│ Frontend Relevance: │
│ • A01: Client-side access control bypass │
│ • A03: XSS, HTML injection │
│ • A05: CSP, security headers │
│ • A07: JWT handling, session storage │
│ • A10: SSRF via WebSocket, fetch APIs │
│ │
└─────────────────────────────────────────────────────────────────────┘
Frontend-Specific Vulnerabilities
| Category | Vulnerability | Severity | OWASP Ref |
|---|---|---|---|
| XSS | Stored XSS in messages | Critical | A03 |
| XSS | DOM-based XSS | High | A03 |
| XSS | Reflected XSS | High | A03 |
| XSS | mXSS (Mutation) | High | A03 |
| Auth | Token in localStorage | High | A07 |
| Auth | Weak JWT validation | High | A07 |
| Auth | Missing MFA | Medium | A07 |
| CSRF | Missing CSRF tokens | Medium | A01 |
| Info | Sensitive data in URL | Medium | A01 |
| Info | Console logging secrets | High | A02 |
| Config | Missing CSP | Medium | A05 |
| Config | Weak CSP | Medium | A05 |
| Config | X-Frame-Options missing | Low | A05 |
2. Assessment Methodology
Vulnerability Assessment Process
┌─────────────────────────────────────────────────────────────────────┐
│ Vulnerability Assessment Process │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Reconnaissance │
│ • Identify all endpoints (API, WebSocket) │
│ • Map authentication mechanisms │
│ • Document frontend architecture │
│ • List third-party dependencies │
│ │
│ 2. Automated Scanning │
│ • SAST tools (eslint-plugin-security, etc.) │
│ • DAST tools (Burp Suite, OWASP ZAP) │
│ • Dependency scanning (npm audit, Snyk) │
│ │
│ 3. Manual Testing │
│ • XSS vectors in all input fields │
│ • Bypass authentication/authorization │
│ • Test WebSocket message handling │
│ • Verify security headers │
│ │
│ 4. Analysis & Prioritization │
│ • Score vulnerabilities by severity │
│ • Assess exploitability │
│ • Evaluate business impact │
│ │
│ 5. Reporting │
│ • Document findings with PoC │
│ • Provide remediation guidance │
│ • Track remediation progress │
│ │
└─────────────────────────────────────────────────────────────────────┘
Assessment Checklist
-
Authentication Review
- JWT implementation (algorithm, expiration)
- Token storage (localStorage vs httpOnly cookie)
- Session management
- MFA implementation
- Password policy
-
Authorization Review
- Client-side permission checks
- API authorization enforcement
- Resource ownership validation
- IDOR vulnerabilities
-
Input Validation Review
- XSS prevention (sanitization, encoding)
- SQL injection (if applicable)
- Command injection
- File upload validation
-
Configuration Review
- Security headers (CSP, HSTS, etc.)
- CORS configuration
- WebSocket security
- Error handling
-
Dependency Review
- Known vulnerabilities in packages
- Outdated dependencies
- Malicious packages
3. Frontend-Specific Vulnerabilities
XSS Testing Matrix
// XSS test cases by input vector
const xssTestCases = {
// Rich text fields (chat messages, comments)
richText: [
'<script>alert(1)</script>',
'<img src=x onerror=alert(1)>',
'<svg onload=alert(1)>',
'<body onload=alert(1)>',
'<iframe src="javascript:alert(1)">',
'<object data="javascript:alert(1)">',
'<a href="javascript:alert(1)">click</a>',
'<div onclick="alert(1)">click</div>',
'<style>@import"javascript:alert(1)"</style>'
],
// URL parameters
urlParams: [
'?q=<script>alert(1)</script>',
'?q="><script>alert(1)</script>',
'?q=javascript:alert(1)',
'?q=<img src=x onerror=alert(1)>'
],
// Form inputs
formInputs: [
'<script>alert(1)</script>',
"';alert(1);//",
'"><img src=x onerror=alert(1)>'
],
// File uploads (filename)
fileUploads: [
'<script>test.jpg', // If extension not validated
'test.png"><script>alert(1)</script>.png'
]
};
// DOM XSS specific tests
const domXssSinks = [
'location.href',
'location.search',
'location.hash',
'document.referrer',
'document.write',
'innerHTML',
'outerHTML'
];Security Header Assessment
# Check security headers
curl -I https://yourapp.com
# Expected headers:
# Content-Security-Policy: ...
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY or SAMEORIGIN
# X-XSS-Protection: 0 (or not present)
# Strict-Transport-Security: max-age=...
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: ...
# Server: (should not reveal version)React Security Assessment
// Dangerous patterns to check:
const dangerousPatterns = [
// dangerouslySetInnerHTML without sanitization
/dangerouslySetInnerHTML=\{\{[^}]+\}\}/,
/dangerouslySetInnerHTML=\{\{.*?\}\}/,
// innerHTML usage
/\.innerHTML\s*=/,
/\.outerHTML\s*=/,
// eval usage
/eval\s*\(/,
/new Function\s*\(/,
// document.write
/document\.write\s*\(/,
// Location manipulation from user input
/location\.href\s*=.*\$/,
// Event handlers from user input
/on\w+=\{.*\$\}/,
// URL from user input in href
/href=\{.*\$\}/,
// Style from user input
/style=\{.*\$\}/
];4. API Security Assessment
API Vulnerability Checklist
-
Authentication
- API key exposure in frontend
- JWT validation bypass
- Token expiration not enforced
- Refresh token rotation implemented
-
Authorization
- IDOR in API parameters
- Missing resource ownership checks
- Privilege escalation possible
- Horizontal privilege escalation
-
Input Validation
- Type coercion issues
- Parameter pollution
- Array/object overloading
- Missing validation on server
-
Rate Limiting
- Missing rate limits
- Bypass via header manipulation
- No distributed rate limiting
API Test Cases
// IDOR test - access other users' resources
async function testIDOR() {
// Logged in as user1
const user1Token = await login('user1@example.com');
// Get user1's resource
const resource1 = await fetch('/api/resource/123', {
headers: { Authorization: `Bearer ${user1Token}` }
});
// Try to access as user2
const user2Token = await login('user2@example.com');
// This should be blocked
const forbidden = await fetch('/api/resource/123', {
headers: { Authorization: `Bearer ${user2Token}` }
});
if (forbidden.status !== 403) {
console.log('IDOR VULNERABILITY: User2 can access User1 resource');
}
}
// Parameter pollution test
async function testParamPollution() {
// Send array instead of single value
const response = await fetch('/api/search?q=test&q=admin', {
// Should only process first q, or validate for array
});
}
// Type coercion test
async function testTypeCoercion() {
// Boolean coercion via string
await fetch('/api/admin?enabled=true'); // String, should fail
await fetch('/api/admin?enabled=1'); // Number
// Compare with proper boolean
await fetch('/api/admin', {
body: JSON.stringify({ enabled: true }) // Proper boolean
});
}5. Authentication Security Assessment
JWT Security Checklist
const jwtSecurityChecklist = {
algorithm: [
'Algorithm explicitly specified',
'HS256 used (not "none")',
'RS256 preferred for asymmetric',
'No algorithm confusion possible'
],
secret: [
'Minimum 256-bit key',
'Key not in source code',
'Key rotated regularly',
'Different secrets for access/refresh'
],
expiration: [
'Access token expires in 15-60 minutes',
'Refresh token expires in 7-30 days',
'Refresh token rotation implemented',
'Token expiration validated on backend'
],
storage: [
'Not in localStorage',
'Access token in memory or sessionStorage',
'Refresh token in httpOnly cookie',
'Tokens cleared on logout'
],
validation: [
'Issuer (iss) validated',
'Audience (aud) validated',
'Not before (nbf) validated',
'JWT ID (jti) used for revocation'
]
};Session Security Checklist
const sessionSecurityChecklist = {
creation: [
'Session ID generated with secure random',
'Session ID is 128+ bits',
'Session ID not exposed in URL',
'Session ID regenerated after login'
],
storage: [
'Session data stored server-side',
'Session ID only in httpOnly cookie',
'Secure flag set in production',
'SameSite attribute configured'
],
timeout: [
'Absolute session timeout (max 24h)',
'Idle session timeout (15-30 min)',
'Session expiry warning sent',
'Force re-authentication for sensitive actions'
],
termination: [
'Logout destroys session server-side',
'Logout clears cookies',
'Session revocation on password change',
'Concurrent session limit enforced'
]
};6. Common Vulnerability Patterns
High Severity Patterns
// 1. Sensitive Data Exposure
const sensitivePatterns = [
/api[_-]?key\s*[:=]\s*['"][a-zA-Z0-9]/,
/secret\s*[:=]\s*['"][a-zA-Z0-9]/,
/password\s*[:=]\s*['"][a-zA-Z0-9]/,
/token\s*[:=]\s*['"][a-zA-Z0-9]/,
/private[_-]?key\s*[:=]/,
/Bearer\s+[a-zA-Z0-9]/
];
// 2. Cryptographic Misuse
const cryptoPatterns = [
/crypto\.createCipher/,
/crypto\.createDecipher/,
/md5/,
/sha1/,
/DES\.encrypt/
];
// 3. Code Injection
const injectionPatterns = [
/eval\s*\(/,
/new Function\s*\(/,
/exec\s*\(/,
/execSync\s*\(/,
/spawn\s*\([^)]*shell\s*:\s*true/,
/child_process.*shell\s*:\s*true/
];Medium Severity Patterns
// 1. Missing Security Headers
const missingHeaders = [
'Content-Security-Policy',
'X-Content-Type-Options',
'X-Frame-Options',
'Strict-Transport-Security'
];
// 2. Weak CSP
const weakCSPPatterns = [
/'unsafe-inline'.*script-src/,
/script-src.*'unsafe-eval'/,
/\*\.example\.com/, // Wildcard too broad
/\*\s+script-src/
];
// 3. XSS Vulnerabilities
const xssPatterns = [
/dangerouslySetInnerHTML=\{\{/,
/\.innerHTML\s*=\s*.*\+/,
/document\.write\s*\(/,
/eval\s*\(.*\$/
];7. Risk Scoring
CVSS-like Scoring
┌─────────────────────────────────────────────────────────────────────┐
│ Vulnerability Risk Scoring │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Severity Levels: │
│ │
│ Critical (9-10): │
│ • Stored XSS with session hijacking │
│ • Authentication bypass │
│ • Remote code execution │
│ • Sensitive data exposure (passwords, keys) │
│ │
│ High (7-8.9): │
│ • Reflected XSS │
│ • IDOR for sensitive data │
│ • CSRF for state-changing operations │
│ • Weak crypto implementation │
│ │
│ Medium (4-6.9): │
│ • DOM XSS │
│ • Missing security headers │
│ • Insufficient rate limiting │
│ • Information disclosure │
│ │
│ Low (0.1-3.9): │
│ • Missing X-Frame-Options (clickjacking risk) │
│ • Console log leakage (low impact) │
│ • Deprecated features │
│ │
└─────────────────────────────────────────────────────────────────────┘
Risk Calculation Matrix
| Impact | Exploitability | Remediation Effort | Score |
|---|---|---|---|
| High | Easy | Quick | Critical |
| High | Moderate | Moderate | High |
| High | Hard | Complex | Medium |
| Medium | Easy | Quick | High |
| Medium | Moderate | Moderate | Medium |
| Medium | Hard | Complex | Low |
| Low | Any | Any | Low |
Exploitability Factors
const exploitabilityFactors = {
attackVector: {
network: 0.85, // Can be exploited remotely
adjacent: 0.55, // Requires network proximity
local: 0.20, // Requires local access
physical: 0.10 // Requires physical access
},
attackComplexity: {
low: 0.77, // No special conditions
high: 0.44 // Requires special conditions
},
privilegesRequired: {
none: 0.85, // No privileges needed
low: 0.62, // Basic user privileges
high: 0.27 // Admin privileges needed
},
userInteraction: {
none: 0.85, // No user action needed
required: 0.62 // User must perform action
}
};
// Calculate base score
function calculateExploitability(factors) {
return factors.attackVector *
factors.attackComplexity *
factors.privilegesRequired *
factors.userInteraction;
}