corenominal

Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Of Course I’ll Let You Execute Arbitrary Javascript Code in My Users’ Browsers image/svg+xml

All about the dangers of including externally hosted JavaScript in your websites. I would have thought that most of this would be common knowledge for professional developers, but the web being the web, there are plenty of hobbyist and amateurs out there who are probably very clueless about this stuff, so I thought it was worth sharing.

Also, I found this slightly amusing:

I’ll admit it, I used this vector for some grey-hat purposes back in my college days. In college, I wrote a terrible Javascript animation library that inexplicably became very popular among Spanish-speaking web developers. In order to facilitate onboarding, I offered the library over a public CDN that anybody could use.

At its peak, the script was being loaded from a few hundred websites and receiving about 100k loads per day. Some of my friends were in a band and they were participating in a local battle-of-the-bands competition for a radio station that featured weekly online votes to move to the next round. Their voting system did nothing to defend against XSRF attacks, but did limit votes to 1 per IP address.

So naturally, my friends won by a landslide of votes, most of which originated in Latin America.

** chuckles **

Leave a comment

Your email address will not be published. Required fields are marked *