Skip to content

Instantly share code, notes, and snippets.

@mnutt
Created May 6, 2019 21:54
Show Gist options
  • Save mnutt/e58c718703b5bebde05998a581e2e67a to your computer and use it in GitHub Desktop.
Save mnutt/e58c718703b5bebde05998a581e2e67a to your computer and use it in GitHub Desktop.

Some HTML attack vectors (not all)

POST/PUT/DELETE/PATCH actions

  • via XHR
    • sends user's cookies
    • cross-origin restrictions protect against malicious sites, unless you have bad CORS settings
  • via form
    • sends user's cookies
    • need to protect with csrf token
    • or you can prevent form POST entirely with x-requested-with request header check
      • since non-XHR requests cannot manipulate arbitrary request headers

GET actions

  • via XHR
    • sends user's cookies
    • cross-origin restrictions protect, unless you have bad CORS settings
  • via script load
    • browser will make the GET request, but malicious site probably can't read the response
      • don't allow destructive/modifying actions with GET
    • shouldn't return sensitive data as application/javascript
    • some people include for(;;) at the top of their responses to prevent super old browsers from running json
      • we probably don't care about these super old browsers
  • via iframe load
    • cross-origin restrictions protect against malicious site reading iframe contents
    • still a clickjacking concern
      • mitigate with X-Frame-Options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment