40 Matching Annotations
- Oct 2023
-
research.securitum.com research.securitum.com
- Aug 2023
-
Tags
Annotators
URL
-
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
-
developer.mozilla.org developer.mozilla.org
- Mar 2023
-
-
Pitfall #1: Server-Side Rendering Attacker-Controlled Initial State
```html
<script>window.__STATE__ = ${JSON.stringify({ data })}</script>```
-
Pitfall #3: Misunderstanding What it Means to Dangerously Set
-
Pitfall #2: Sneaky Links
```html
<div>data:text/html, click me</div>```
-
-
-
thomasnguyen.site thomasnguyen.site
-
One option is to use the serialize-javascript NPM module to escape the rendered JSON.
html { username: "pwned", bio: "</script><script>alert('XSS Vulnerability!')</script>" } -
This is risky because JSON.stringify() will blindly turn any data you give it into a string (so long as it is valid JSON) which will be rendered in the page. If { data } has fields that un-trusted users can edit like usernames or bios, they can inject something like this:
json { username: "pwned", bio: "</script><script>alert('XSS Vulnerability!')</script>" } -
Sometimes when we render initial state, we dangerously generate a document variable from a JSON string. Vulnerable code looks like this:
```html
<script>window.__STATE__ = ${JSON.stringify({ data })}</script>```
-
Server-side rendering attacker-controlled initial state
-
-
www.youtube.com www.youtube.com
-
frederik-braun.com frederik-braun.com
- Dec 2022
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
-
blog.ropnop.com blog.ropnop.com
Tags
Annotators
URL
-
-
security.stackexchange.com security.stackexchange.com
- Aug 2022
-
tech.meituan.com tech.meituan.com
-
攻击者提交恶意代码。
Tags
Annotators
URL
-
-
www.google.com www.google.com
-
通过利用网页开发时留下的漏洞,通过巧妙的方法注入恶意指令代码到网页,使用户加载并执行攻击者恶意制造的网页程序
-
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
- Jun 2022
-
github.com github.com
-
DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG
Tags
Annotators
URL
-
- Jun 2021
-
disqus.com disqus.com
-
In short: storing the token in HttpOnly cookies mitigates XSS being used to get the token, but opens you up to CSRF, while the reverse is true for storing the token in localStorage.
-
-
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
-
Remember that any Cross-Site Scripting (XSS) can be used to defeat all CSRF mitigation techniques!
-
-
pragmaticstudio.com pragmaticstudio.com
-
That means if an attacker can inject some JavaScript code that runs on the web app’s domain, they can steal all the data in localStorage. The same is true for any third-party JavaScript libraries used by the web app. Indeed, any sensitive data stored in localStorage can be compromised by JavaScript. In particular, if an attacker is able to snag an API token, then they can access the API masquerading as an authenticated user.
-
But there’s a drawback that I didn’t like about this option: localStorage is vulnerable to Cross-site Scripting (XSS) attacks.
-
- May 2021
-
-
the majority of XSS attacks target theft of session cookies. A server could help mitigate this issue by setting the HttpOnly flag on a cookie it creates, indicating the cookie should not be accessible on the client.
-
-
en.wikipedia.org en.wikipedia.org
-
Cross-site scripting (XSS) vulnerabilities (even in other applications running on the same domain) allow attackers to bypass essentially all CSRF preventions.
-
- Feb 2021
-
stackoverflow.com stackoverflow.com
-
IFRAME element may be a security risk if any page on your site contains an XSS vulnerability which can be exploited
-
- Dec 2020
-
github.com github.com
-
${JSON.stringify(state)}
-
XSS mitigation
-
- Oct 2020
- May 2020
- Nov 2018
-
zh.wikipedia.org zh.wikipedia.org
-
跟跨网站脚本(XSS)相比,XSS 利用的是用户对指定网站的信任,CSRF 利用的是网站对用户网页浏览器的信任。
XSS 是对客户端的攻击
CSRF 是对服务端的攻击
-
- Oct 2018
-
scotthelme.co.uk scotthelme.co.uk
Tags
Annotators
URL
-