2 votes

I feel like XSS is gonna exist

5 comments

  1. [5]
    cfabbro
    Link
    If people can get around ~ extremely restrictive CSP and pull off an XSS attack, so long as they responsible disclose it to @deimos... more power to them and that would even be appreciated so the...

    If people can get around ~ extremely restrictive CSP and pull off an XSS attack, so long as they responsible disclose it to @deimos... more power to them and that would even be appreciated so the vulnerability can be patched. ;)

    1 vote
    1. [4]
      13steinj
      Link Parent
      No yeah of course but it's kinda difficult to disclose something responsibly without trying to throw everything at it. CSP doesn't protect against everything though, especially given the ability...

      No yeah of course but it's kinda difficult to disclose something responsibly without trying to throw everything at it. CSP doesn't protect against everything though, especially given the ability to use direct html tags. I don't know the current filtering method which is why I'm kinda just getting ready to throw everything in one go.

      1 vote
      1. [2]
        Deimos
        Link Parent
        Assuming the browser you're using supports CSP properly, it is impossible to get an inline script tag to execute any code on Tildes. You can't use a <script> and write javascript inside one, you...

        CSP doesn't protect against everything though, especially given the ability to use direct html tags.

        Assuming the browser you're using supports CSP properly, it is impossible to get an inline script tag to execute any code on Tildes. You can't use a <script> and write javascript inside one, you can't src= to a script hosted anywhere except on https://tildes.net, you can't use any onclick= or similar handlers, and so on.

        I can't even use these things in the source code myself. XSS should be completely impossible.

        3 votes
        1. 13steinj
          Link Parent
          There have been bypasses to CSP in the past, but even disregarding those, not all browsers support CSP (ex IE9, Edge < 14), and some users are locked into these browsers due to improperly placed...

          There have been bypasses to CSP in the past, but even disregarding those, not all browsers support CSP (ex IE9, Edge < 14), and some users are locked into these browsers due to improperly placed restrictions by organizations and other educational institutions.

          And some people are just...well, don't update.

          1 vote
      2. cfabbro
        (edited )
        Link Parent
        The only HTML element that can be used is <a href=“”> right now AFAIK and it’s highly restricted (no pseudo-elements). It’s not a wide open, one-to-one parser. I get what you’re saying about how...

        The only HTML element that can be used is <a href=“”> right now AFAIK and it’s highly restricted (no pseudo-elements). It’s not a wide open, one-to-one parser.

        I get what you’re saying about how it's difficult to responsibly disclose right now, but once the site is open sourced you can take a peek at the code yourself or spin up your own version to test on... and if you spot anything just add an issue to gitlab or PM @deimos directly if it’s urgent/severe and you don’t think disclosure should be made publicly.

        If you plan on hammering the site trying to find an XSS vulnerability in the mean time though, you should probably PM @deimos anyways so he doesn’t assume you’re being malicious. That is what I primarily meant by responsible disclosure at this early stage before it’s opensource.

        1 vote