Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Some HTML attack vectors (not all)

POST/PUT/DELETE/PATCH actions

  • via XHR
    • sends user's cookies
    • cross-origin restrictions protect against malicious sites, unless you have bad CORS settings
  • via form
    • sends user's cookies
    • need to protect with csrf token
    • or you can prevent form POST entirely with x-requested-with request header check
      • since non-XHR requests cannot manipulate arbitrary request headers

GET actions

  • via XHR
    • sends user's cookies
    • cross-origin restrictions protect, unless you have bad CORS settings
  • via script load
    • browser will make the GET request, but malicious site probably can't read the response
      • don't allow destructive/modifying actions with GET
    • shouldn't return sensitive data as application/javascript
    • some people include for(;;) at the top of their responses to prevent super old browsers from running json
      • we probably don't care about these super old browsers
  • via iframe load
    • cross-origin restrictions protect against malicious site reading iframe contents
    • still a clickjacking concern
      • mitigate with X-Frame-Options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.