 |
| XSS problem |
XSS is not only about scripts. Overall it happens when attacker can break the expected DOM structure with new attributes/nodes.
For example is a script-less XSS (in Rails jquery_ujs will turn the click into DELETE request).
XSS is often found on static pages, in *.swf files, *.pdf Adobe bugs and so on. It happens, and there is no guaranty you won't have it ever.
You can reduce the damage
Assuming there is
XSS defense in depth | Egor Homakov
For example is a script-less XSS (in Rails jquery_ujs will turn the click into DELETE request).
<a data-remote=true data-method=delete href=/delete_account>CLICK</a>It can happen either on page load (normal XSS) or in run time (DOM XSS). When payload was successfully injected there is no safe place from it on the whole origin. Any CSRF token is readable, any page content is accessible on site.com/*.
XSS is often found on static pages, in *.swf files, *.pdf Adobe bugs and so on. It happens, and there is no guaranty you won't have it ever.
You can reduce the damage
Assuming there is
GET+POST /update_password endpoint, wouldn't it look like a good idea to deny all requests to POST /update_password from pages different from GET /update_password ? |
| Ruby on Rails |
No comments:
Post a Comment