What is Detectify?

Top 12 hacker tips to secure your SPA from Crowdsource

April 1, 2021

In 2020, the pandemic took us by surprise and yet we continue to see SPAs strongly trending even now into 2021. Reports show that more SPAs are launching onto the market, and maintenance requirements are complex . It’s important to secure your SPA and not let it lag behind.

Detectify Crowdsource is our private ethical hacker community that’s security testing applications and recently with more emphasis on securing SPAs to help Detectify customers stay safe. They are familiar with the latest techniques to exploit the client-side, and if left unattended, they can destroy the user trust and reputation of a business.

“SPAs are trending today and much of it is based on the business’ ability to act quickly and deliver a quality experience to keep peoples’ attention. Long loading times or worse – down-times and delays – can get you into hot water if they start to affect your revenue. You need to be able to deliver and secure fast to keep your head above the water. 

A secure SPA needs to be top of the agenda. They’re the frontline experience between your business model and your customers. Without basic security practices, even the most modernly built SPA can get into trouble waters with visits from opportunistic bad actors” – Carolin Solskär, Crowdsource Community Manager at Detectify

We asked the Detectify Crowdsource community, to share some of their top-paying tips. Here’s a SPA security checklist that every SPA developer or tester should know when it comes to securing SPAs:

12. madrobot: Assign every visitor a unique token to keep out unauthenticated (and creepy) guests from entering your SPA.

unique

11. jbono: No company secrets or internal meetings are allowed in the JS (Jacuzzi and Sauna center). You never know who is listening in.

no secrets in js

10. InsiderPhD: When testing SPAs make sure all the staff rooms have locks on the doors, otherwise anyone could get in and see sensitive information about your treatments.

buested

9. JR0ch17: Embers can cause big fires in a SPA, and instead, you need to React fast and leave.

fire ember react

8. Ozgur: Include OWASP training for all. Every employee should know how different Oil, Water, Acid, Salt or Pressure levels lead to pest infestations.
OWASP

7. TomNomNom: Make heavy use of the API (Aromatherapy Pampering Installation)

API aromatherapy

6. gehaxelt: We strongly recommend opting for HSTS (the Hot Stone Treatment Service). This keeps the users happy.

i found rocks

Are you a pentester? Check out our top 10 tips for pentesters.

5. streaak: Watch out for the man in the middle, and ensure all HTTP (HydroTherapy Treatment Plan) requests are made using a secure connection.

MITM

4. p4fg: To maintain the privacy of your guests, provide salt masks at all times. 

salt mask

3. ZetaTwo: It’s very important to consider all your third-party dependencies since supply chain attacks could be a big concern. Make sure you source your scented candles and face masks from vetted providers to avoid potential disasters.

facemask gone wrong

2. DhiyaneshDK: Make sure all connections to your SPA come from trusted sources. Hot goes to hot, cold goes to cold.

check sources shower

1. berg0x00: Make sure to properly secure your SOAP

secure the soap

 

This SPA security checklist is tried, tested and true by our Detectify Crowdsource community. Before applying this, remember to do a check if you have the basics to get started: 

“I decided to start looking into SPAs and how to hack them with this checklist. When I found my first vulnerability in a SPA, I immediately felt relaxed until I realized I forgot my towel. You really can’t secure yourself or the SPA without considering physical security!” – gehaxelt, a relaxed hacker.

And some bonus advice hacker-to-hacker from p4fg:

“The best way to hack a SPA is through a supply-chain attack; either through the suppliers of middleware, using a payload such as <BODY OIL=”..;”> or tricking the victim to visit what he/she thinks is a SPA, but really is our fake store-front disguised as a SPA.

dogegotyou

Happy April Fool’s Day!

If you are here because you’re also looking for a security help for your Single Page Applications (SPAs), Detectify has you covered! 

How can Detectify help?

Besides finding vulnerabilities in spas, Detectify Crowdsource ethical hackers also hunt for bugs in modern web applications like SPAs that affect technologies including angular, go, nginx, react, npm, drupal, atlassian, node.js, laravel and more.

We collaborate to find the actual payloads used to successfully exploit web vulnerabilities, and build these into the Detectify vulnerability scanner. Our automated hacker testing goes beyond the OWASP Top 10 to help you stay on top of threats and find vulnerabilities in time.

Find out what hackers can see in your web apps with a free 2-week trial of Detectify today. Go hack yourself.

Need a refresher on the OWASP Top 10 vulnerabilities?
Go to the guide.