5
kiki
288d

“httpOnly cookies prevent XSS attacks”… wow.
As if not being able to get your cookies is going to stop me from doing bad things.

When I'm in via XSS, it's over. I'm changing the page content to your sign-in form with “please sign in again” notice, but it sends email/password straight to me. What percentage of users is going to enter their data? What do you think? With password managers prefilling data, and the annoyance being one “enter” hit away, I think a lot of users will fall for that. No one, including you, will be able to tell the difference without devTools.
You can rotate the session token, but good luck rotating the user's password.

Oh, did I tell you I could register a service worker using XSS that will be running in background FOREVER?

But don't listen to me. Don't think. Just use httpOnly and hope for the best. After all, your favorite dev youtuber said they could protect you from XSS.

Comments
  • 2
    Apparently, MS Teams executed incoming messages as Angular templates directly for the longest time, and each time a vulnerability was discovered the solution was to add a few regexes to the message validator.

    XSS is a command injection vulnerability, like SQL injection. The main way you can get one is if you try to avoid using a parser or serializer, and the only way to fix it is to use a parser and serializer.
  • 3
    @lorentz translation: innerText good, innerHTML bad
  • 2
    @kiki not a direct translation. More like “remember kids, eval is always evil”
  • 3
    you can't just register an arbitrary service worker
    Need to upload a file, have it served as application/javascript and it's only valid for subdirectories
    Doubt you can upload to the websites root dir
Add Comment