Created
May 6, 2019 21:54
-
-
Save mnutt/e58c718703b5bebde05998a581e2e67a to your computer and use it in GitHub Desktop.
Revisions
-
mnutt created this gist
May 6, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,26 @@ # Some HTML attack vectors (not all) ## POST/PUT/DELETE/PATCH actions - via XHR - sends user's cookies - cross-origin restrictions protect against malicious sites, unless you have bad CORS settings - via form - sends user's cookies - need to protect with csrf token - or you can prevent form POST entirely with x-requested-with request header check - since non-XHR requests cannot manipulate arbitrary request headers ## GET actions - via XHR - sends user's cookies - cross-origin restrictions protect, unless you have bad CORS settings - via script load - browser will make the GET request, but malicious site probably can't read the response - don't allow destructive/modifying actions with GET - shouldn't return sensitive data as application/javascript - some people include `for(;;)` at the top of their responses to prevent super old browsers from running json - we probably don't care about these super old browsers - via iframe load - cross-origin restrictions protect against malicious site reading iframe contents - still a clickjacking concern - mitigate with X-Frame-Options