comments (not for humans)
After working on retire.js I decided to take it for a real test run. I setup a node script with phantomjs and scanned the landing page of 150,000 Norwegian domains. These are the results. You will find that a lot of sites are using really old versions of libraries with known vulnerabilities (red means the library has known vulnerabilities). I think this supports the idea that most sites have the jQuery version that was available when the site was first made. Oh, and using a vulnerable library does not necessarily mean the site is vulnerable, but it might be.
[...]

The 9th item on the OWASP Top 10 is A9 - Insufficient Transport Layer Protection. This is mostly a browser to server and server to server issue.


[...]

This post describes how OWASP Top 10 - A7: Insecure Cryptographic Storage affects javascript applications. This is a wide category which covers a lot more than this blog post. I'll try to focus on the aspects that often occur in applications that rely heavily on JavaScript.


[...]

This post describes how OWASP Top 10 - A6: Security Miconfiguration affects javascript applications. This is a wide category which covers a lot more than this blog post. I'll try to focus on the aspects that often occur in applications that rely heavily on JavaScript.


[...]
How do A4 - Insecure Direct Object References apply to Javascript? Well, it all depends on how the system was formed, but this is very likely to become a problem in pure JavaScript apps. Read on for an explanation of why.
[...]

In this post I'll describe how OWASP Top 10: A3 - Broken Authentication and Session Management applies to javascript based applications. Problems around broken authentication and session management can happen for a number of reasons. The end result is the same. The attacker is somehow able to log in as another user, and get hold of content which the user should not have access too.


[...]

The OWASP Top 10 is a risk focused list of the top 10 most critical web application security risk.


[...]
"So now that you've seen how contexts are important when mitigating XSS, I'll give you a new example", David said. "Take a look at the following example from a social networking web site".
[...]
"That does not mean, however, that blocking < and > when ouputting user data in javascript isn't necessary", David said.
[...]