Self XSS Protection not used , attacker can trick users to insert JavaScript (suggestion)

djamel.anoir at gmail.com djamel.anoir at gmail.com
Mon Jul 10 12:48:27 EDT 2017


Title : Self XSS Protection not used , attacker can trick users to
insert JavaScript (suggestion)
------------------------------------------------------------------------
Description :
----------------
"Self XSS Protection not used" on your website  This technique
prevents user from getting tricked into injecting js themselves.

a screen shot of facebook warning agaist such attack :
https://gyazo.com/3b448c200124053b60b622d0149e242d
--------

POC :
------
attackers can use social engineering to trick victimes to get self
xssed via console
I suggest you use the same methode as facebook and notify the user who
opens the
console https://gyazo.com/3b448c200124053b60b622d0149e242d

Criticality : It can only be used to trick non-teck users who can be
fooled in getting self xssed
-------------


Suggested fix :
-----------------

this is how gratipay fixed the issue
https://github.com/gratipay/gratipay.com/commit/bf893c19375e8171f31ff98816f2e8b30f82a137
using the follwoing js code :
+Gratipay.warnOffUsersFromDeveloperConsole = function()
+{
+ console.log("%cStop!", "color: red; font-weight: bold; font-size: 50px;");
+ console.log( "%cThis is a console for developers. If someone has
asked you to open this "
+ + "window, they are likely trying to compromise your Gratipay account."
+ , "color: red;"
+ );
+ console.log("%cPlease close this window now.", "color: blue;");
+};
+
+


More information about the security mailing list