Geek asks and answers

If the user is only looking at his own data - is there an XSS risk?

If my site only allows users to view their own data and will never be transferred to other users (ie there are no general “messages”, etc.), is there an XSS risk on my site?

I will continue to work on XSS solutions (e.g. httmlspecialchars (), etc.), but I'm curious if an attacker can get anything by looking at his own XSS attack?

+3
source share
3 answers

An attacker cannot gain anything by using cross-site scripting methods for himself. The purpose of cross-site scripting is to manipulate page elements that are displayed to the user in a malicious way, whether phishing or reading a cookie. In other words, an attack can only affect objects on the client side.

However, it’s important to remember what “a user ever looking at his own data” means.

Suppose I have a website where users can have their own profile, accessible only to themselves. The page has a text input element that allows users to enter the URL of their website. Now suppose the user profile update form uses GET.

A page refresh message might look like this:

http://www.example.com/privateprofile.pl?action=update&userwebpage=http://www.example.net

, URL-:

http://www.example.com/privateprofile.pl?action=update&userwebpage= [malicious_js_code_here]

, , , , . , , XSS . , XSS .

+6

, , . XSS , , . , , XSS.

+1

Yes, this does not protect you at all. This is a normal scenario. You must bear in mind that if a hacker can install XSS on your website using a URL, then convince someone else to open this URL, then your user data (cookies, passwords, etc.) may be stolen.

+1
source

More articles:


All Articles