How badly should I try to prevent a user from XSSing themselves? The Next CEO of Stack OverflowHow to best defend against Targeted Attacks?How to prevent my website from getting malware injection attacks?CodeIgniter CSRF confusionHow to prevent XSS from urlHow do the Stack Exchange sites protect themselves from XSS?How to prevent data from Interception?Safely downloading user submitted contentShould we prevent this login XSS attack?How to prevent XSS in user-generated content (html) without disabling scripts and CSSa mysterious & pointless long-term hacking attempt?
Find the majority element, which appears more than half the time
Can a PhD from a non-TU9 German university become a professor in a TU9 university?
Is this a new Fibonacci Identity?
Is a linearly independent set whose span is dense a Schauder basis?
MT "will strike" & LXX "will watch carefully" (Gen 3:15)?
Why doesn't Shulchan Aruch include the laws of destroying fruit trees?
Incomplete cube
How can the PCs determine if an item is a phylactery?
What day is it again?
Mathematica command that allows it to read my intentions
Direct Implications Between USA and UK in Event of No-Deal Brexit
Are British MPs missing the point, with these 'Indicative Votes'?
How does a dynamic QR code work?
How to pronounce fünf in 45
Is it correct to say moon starry nights?
Which acid/base does a strong base/acid react when added to a buffer solution?
How badly should I try to prevent a user from XSSing themselves?
logical reads on global temp table, but not on session-level temp table
Would a grinding machine be a simple and workable propulsion system for an interplanetary spacecraft?
Raspberry pi 3 B with Ubuntu 18.04 server arm64: what pi version
Why did early computer designers eschew integers?
Why was Sir Cadogan fired?
What does this strange code stamp on my passport mean?
Is it OK to decorate a log book cover?
How badly should I try to prevent a user from XSSing themselves?
The Next CEO of Stack OverflowHow to best defend against Targeted Attacks?How to prevent my website from getting malware injection attacks?CodeIgniter CSRF confusionHow to prevent XSS from urlHow do the Stack Exchange sites protect themselves from XSS?How to prevent data from Interception?Safely downloading user submitted contentShould we prevent this login XSS attack?How to prevent XSS in user-generated content (html) without disabling scripts and CSSa mysterious & pointless long-term hacking attempt?
Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)
How horrible would it be to allow some XSS vulnerability in this data?
Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?
Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).
My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?
xss attacks
asked 5 hours ago
gaazkamgaazkam
1,3162819
add a comment |
Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)
How horrible would it be to allow some XSS vulnerability in this data?
Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?
Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).
My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?
xss attacks
asked 5 hours ago
gaazkamgaazkam
1,3162819
How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it
– Crumblez
5 hours ago
add a comment |
Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)
How horrible would it be to allow some XSS vulnerability in this data?
Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?
Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).
My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?
xss attacks
asked 5 hours ago
gaazkamgaazkam
1,3162819
Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)
How horrible would it be to allow some XSS vulnerability in this data?
Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?
Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).
My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?
xss attacks
xss attacks
asked 5 hours ago
gaazkamgaazkam
1,3162819
asked 5 hours ago
gaazkamgaazkam
1,3162819
asked 5 hours ago
gaazkamgaazkam
1,3162819
asked 5 hours ago
gaazkamgaazkam
1,3162819
asked 5 hours ago
gaazkamgaazkam
1,3162819
1,3162819
How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it
– Crumblez
5 hours ago
add a comment |
How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it
– Crumblez
5 hours ago
How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it
– Crumblez
5 hours ago
How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it
– Crumblez
5 hours ago
add a comment |
2 Answers
2
active
oldest
votes
This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it 
Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
add a comment |
Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:
<html>
<head><title>HI</title></head>
<body>
<h1>WEBSITE</h1>
Hey my name is <travis>.
</body>
</html>
Note that when this website is rendered, the word 'travis', is not rendered.
answered 4 hours ago
meowcatmeowcat
1644
add a comment |
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206579%2fhow-badly-should-i-try-to-prevent-a-user-from-xssing-themselves%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it
Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
add a comment |
This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it
Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
add a comment |
This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it
Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it
Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
answered 5 hours ago
Rоry McCuneRоry McCune
52.7k13113187
52.7k13113187
add a comment |
add a comment |
Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:
<html>
<head><title>HI</title></head>
<body>
<h1>WEBSITE</h1>
Hey my name is <travis>.
</body>
</html>
Note that when this website is rendered, the word 'travis', is not rendered.
answered 4 hours ago
meowcatmeowcat
1644
add a comment |
Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:
<html>
<head><title>HI</title></head>
<body>
<h1>WEBSITE</h1>
Hey my name is <travis>.
</body>
</html>
Note that when this website is rendered, the word 'travis', is not rendered.
answered 4 hours ago
meowcatmeowcat
1644
add a comment |
Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:
<html>
<head><title>HI</title></head>
<body>
<h1>WEBSITE</h1>
Hey my name is <travis>.
</body>
</html>
Note that when this website is rendered, the word 'travis', is not rendered.
answered 4 hours ago
meowcatmeowcat
1644
Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:
<html>
<head><title>HI</title></head>
<body>
<h1>WEBSITE</h1>
Hey my name is <travis>.
</body>
</html>
Note that when this website is rendered, the word 'travis', is not rendered.
answered 4 hours ago
meowcatmeowcat
1644
answered 4 hours ago
meowcatmeowcat
1644
answered 4 hours ago
meowcatmeowcat
1644
answered 4 hours ago
meowcatmeowcat
1644
1644
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206579%2fhow-badly-should-i-try-to-prevent-a-user-from-xssing-themselves%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it
– Crumblez
5 hours ago