https://www.secdev.uk/blog/tags/cwe-79/ Recent content in CWE-79 on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 22 Nov 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-11-22-javascript-security-prototype-pollution/ Sat, 22 Nov 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-11-22-javascript-security-prototype-pollution/ <p>JavaScript is the one language I can never escape, it&rsquo;s on both sides of the web. In the browser it handles user interaction and DOM manipulation, and on the server Node.js powers APIs, microservices, and build tools. This dual nature creates an attack surface that&rsquo;s uniquely challenging to secure. Browser-side JavaScript faces XSS, DOM clobbering, and postMessage abuse. Server-side JavaScript faces prototype pollution, dependency confusion, ReDoS, and the vast npm ecosystem where a single malicious package can compromise thousands of applications. In this post, I want to walk through the JavaScript-specific anti-patterns that keep coming up, from the prototype chain manipulation that poisons every object in the runtime to the regex that freezes your server.</p> https://www.secdev.uk/blog/technology/2025-02-01-xss-is-not-just-a-javascript-problem/ Sat, 01 Feb 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-02-01-xss-is-not-just-a-javascript-problem/ <p>Cross-site scripting gets framed as a front-end problem a lot, something that happens in JavaScript and gets fixed with JavaScript. But the more I dug into this, the clearer it became that XSS vulnerabilities almost always originate on the server side, in whatever language is generating the HTML. I&rsquo;ve found XSS in Python templates, Java JSPs, Go&rsquo;s <code>html/template</code> misuse, Rust web frameworks, and server-rendered JavaScript. The language you write your backend in determines which XSS patterns you&rsquo;ll run into and which ones will sneak past your review.</p>