[talk] Browser Abuse.

firecrow silvernight fire at firecrow.com
Wed Oct 12 12:14:15 EDT 2016



-- 
  firecrow silvernight
  fire at firecrow.com

On Wed, Oct 12, 2016, at 11:59 AM, Pete Wright wrote:
> 
> 
> On 10/12/16 1:24 AM, Sujit K M wrote:
> >> Is there a specific applied security case you are trying to handle?
> >
> > I was more interested with problems like SQL Injection for that matter
> > even an XSS Hack with respect to Ajax.
> >
> 
> while browsers are certainly a great attack vector - i still think a 
> majority of the issues that arise are due to poorly implemented server 
> and client-side code.  That would certainly seem to be the case for 
> XSS/SQL Injection/Auth attacks.
> 
> It's not clear to me that a majority of the javascript and front-end 
> dev's out there fully understand the security implications of the code 
> they are writing.  while it's easy to say "ah shitty javascript is 
> shitty" - i think there is more than enough blame for w3c standards and 
> how browsers and platforms are still pretty incompatible.
It's true, the easiest attack vector, is to use javascript to read a
session cookie, and then include that cookie in the url of an inserted
image src attribute, thus passing the cookie value to whatever host the
image lives on.

this can be avoided if the server sets the cookie to not be javascript
accessible, but it's true not all web devs understand the necessity of
such a thing
http://stackoverflow.com/a/11924457/80479

~fire
fire at firecrow.com
> 
> so i reckon security usually falls off the table when they have to burn 
> cycles still messing around with trying to get UI's consistent b/w 
> browsers and platforms.
> 
> -pete
> 
> 
> -- 
> Pete Wright
> pete at nomadlogic.org
> nomadlogicLA
> 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk




More information about the talk mailing list