[Issue 17391] SECURITY: XSS through DDOC comments

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Wed May 10 16:09:56 PDT 2017


https://issues.dlang.org/show_bug.cgi?id=17391

--- Comment #7 from Cédric Picard <cpicard at openmailbox.org> ---
(In reply to Vladimir Panteleev from comment #5)
> (In reply to Cédric Picard from comment #4)
> > Not at all, while what you describe is the most common case there are many
> > things that are possible through XSS that do not target the current domain.
> 
> Could you provide some examples which would be applicable to us?

Well, I'm not sure this is the right place to talk about that, but it's an XSS,
it can do anything JS in a webpage can, so making external calls to APIs,
executing an IRC bot, delivering malware...

With some timing tricks it is also possible to scan the user's network for
available ports on local and nearby computers.

With a browser bug such as
https://www.brokenbrowser.com/sop-bypass-uxss-stealing-credentials-pretty-fast/
(taking one from today, those are pretty common) it's possible to bypass any
security tying the code to the local domain. From there you can get data from
other pages, read and send local files etc.

Anything a normal malicious webpage can do, this is in no way specific to D.

--


More information about the Digitalmars-d-bugs mailing list