Frontend & Browser

Malicious scripts executed by reading attacker-controlled data from the URL or browser APIs and writing it to the DOM using dangerous sinks like innerHTML or document.write.

User-supplied content saved to the database without sanitization and rendered in the browser as HTML, allowing persistent script injection that executes for every user who views the content.

window.addEventListener('message') handlers that process messages without checking the event.origin, allowing any website to send commands to your app's message handler.

Absence of both X-Frame-Options and CSP frame-ancestors headers, combined with no client-side frame-busting logic, leaving the app fully embeddable in malicious iframes.

Third-party or user-generated content loaded in an iframe without the sandbox attribute, allowing that content to run scripts, access parent cookies, and navigate the top-level frame.

CDN-hosted scripts and stylesheets loaded without the integrity attribute, meaning a compromised CDN can serve malicious versions of your dependencies to all your users.

JavaScript that redirects users to URLs taken from query parameters or URL fragments without validation, enabling phishing attacks using your trusted domain as a launchpad.

Tokens, passwords, or sensitive identifiers passed as URL query parameters, where they're visible in browser history, server logs, Referrer headers, and shared links.