Prevention against Self-XSS scam should be taken into account if the application is of high value, interconnected with multiple users through forum, messages and the like. Below is one of screengrab of prevention tip from Facebook: Sample Code: console . log ( "%cExtra Large Yellow Text with Red Background" , "background: red; color: yellow; font-size: x-large" ); Ref: https://developer.chrome.com/devtools/docs/console http://getfirebug.com/wiki/index.php/Console.log https://en.wikipedia.org/wiki/Self-XSS Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console .  Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.
Showing posts from March, 2016
- Other Apps
Over the years, in some applications we pentested, credentials are auto-generated. For the worst case scenario, some of those applications never enforced expiration of passwords to life-time (aka only upon user's demand). When we analysed a large of number of samples, we found the following common patterns: Common username patterns: 1. Derived from small number of digits such as 6, 7, 8 2. Derived from first name, last name Useful tool: https://github.com/urbanadventurer/username-anarchy Common password patterns: 1. Derived from small number of digits such as 6, 7, 8 2. Combination of small number of first alphanumeric characters and digits such as (xwuc7482) and vice versa
- Other Apps
Over the years, we have experienced security-aware applications used various forms of encryption/encoding. In such applications, we found programmers incorrectly implement cryptographic schemes, either disclosing keys in client-side, keys in json format in server response. Some of the tools we used: Bletchley: https://github.com/ecbftw/bletchley (analyze - https://github.com/ecbftw/bletchley/blob/master/wiki/Overview.wiki#bletchleyanalyze ) CrypTool2: https://www.cryptool.org/en/cryptool2