Testing for existence of controls to prevent Self-XSS scam
Prevention against Self-XSS scam should be taken into account if the application is of high value, interconnected with multiple users through forum, messages and the like.
Below is one of screengrab of prevention tip from Facebook:
Sample Code:
console.log("%cExtra Large Yellow Text with Red Background", "background: red; color: yellow; font-size: x-large");
Ref:
Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console.[1] Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.
Below is one of screengrab of prevention tip from Facebook:
Sample Code:
console.log("%cExtra Large Yellow Text with Red Background", "background: red; color: yellow; font-size: x-large");
Ref:
- https://developer.chrome.com/devtools/docs/console
- http://getfirebug.com/wiki/index.php/Console.log
- https://en.wikipedia.org/wiki/Self-XSS
Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console.[1] Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.
Comments
Post a Comment