DEF_01/ Mitigation Hub

Defense Center

Vulnerable vs secure code, side by side, for every attack — plus a security headers reference and per-language secure-coding checklists.

SQL Injection

A03
Open module →
Vulnerable
db.query(
  `SELECT * FROM users
   WHERE name='${name}'`);
Secure
db.query(
  'SELECT * FROM users WHERE name=$1',
  [name]);
  • String concatenation → parameter binding
  • Driver sends query + values separately
  • Quotes / comments inside `name` lose their meaning

XSS

A03
Open module →
Vulnerable
el.innerHTML = userInput;
Secure
el.textContent = userInput;
// or React: <div>{userInput}</div>
// or DOMPurify.sanitize(html)
  • innerHTML (HTML sink) → textContent (text sink)
  • Output encoding chosen by the rendering context
  • Add CSP as a second layer

CSRF

A01
Open module →
Vulnerable
res.cookie('session', t);
app.post('/transfer', ...);
Secure
res.cookie('session', t, {
  httpOnly:true, secure:true,
  sameSite:'lax'
});
app.use(csurf());
  • Add SameSite=Lax (or Strict) to the session cookie
  • Require a per-session CSRF token on state-changing routes
  • Validate Origin / Referer on POSTs

Broken Access Control / IDOR

A01
Open module →
Vulnerable
const o = db.orders.findById(
  req.params.id);
res.json(o);
Secure
const o = db.orders.findById(req.params.id);
if (o.userId !== req.user.id
    && !req.user.isAdmin)
  return res.sendStatus(403);
res.json(o);
  • Add an ownership check on every record fetch
  • Default-deny: unknown actor → 403
  • Server-side role check — never trust the client

Command Injection

A03
Open module →
Vulnerable
exec(`ping -c 4 ${host}`)
Secure
execFile('ping', ['-c','4', host])
// validate host first
if (!/^[a-z0-9.-]+$/i.test(host))
  throw 400;
  • exec (shell string) → execFile (argv array)
  • No /bin/sh involvement; metachars stay literal
  • Strict allow-list for the hostname

Insecure File Upload

A04
Open module →
Vulnerable
if (name.endsWith('.jpg'))
  fs.rename(tmp, '/uploads/'+name);
Secure
const t = await fileTypeFromBuffer(buf);
if (!ALLOW.has(t?.mime)) throw 415;
const name = randomUUID() + '.' + t.ext;
writeFile(OFF_WEBROOT + name, buf);
  • Sniff magic bytes, ignore declared MIME / extension
  • Rename to UUID + canonical extension
  • Store outside the web root; serve via handler

JWT Manipulation

A08
Open module →
Vulnerable
jwt.verify(t, S, {
  algorithms: ['HS256','none']
});
Secure
jwt.verify(t, S, {
  algorithms: ['HS256'],
  issuer: 'auth.app',
  audience: 'api.app',
});
  • Remove 'none' — never accept unsigned tokens
  • Pin the exact algorithm
  • Verify iss/aud/exp/iat

Security headers checker

Content-Security-Policy
default-src 'self'; script-src 'self' 'nonce-xyz'

Cross-site scripting (XSS) — restricts where scripts can load/execute.

Strict-Transport-Security
max-age=63072000; includeSubDomains; preload

Protocol downgrade and TLS-stripping MITM.

X-Frame-Options
DENY

Clickjacking via <iframe> embedding.

X-Content-Type-Options
nosniff

MIME-sniffing attacks (e.g. an uploaded txt being run as JS).

Referrer-Policy
strict-origin-when-cross-origin

Leaking sensitive paths in the Referer header.

Permissions-Policy
geolocation=(), camera=()

Abuse of powerful browser APIs by third-party code.

Secure-coding checklist