Agree to pretty much all of what you said but I'm struggling at one part, maybe you can help me out a little haha.
To illustrate, consider social media websites that follow the convention of allowing users to register their own subdomains. A malicious actor could register example.com or m.example.com to phish a user.
If I understand you correctly, we'd say dev.to allows us to create subdomains. So now I create m.dev.to and send out that link in the hopes someone clicks on it. How would that be malicious? The site would still need me to allow to run scripts of any sort, right?
Am I missing the obvious here?
I'm a Systems Reliability and DevOps engineer for Netdata Inc. When not working, I enjoy studying linguistics and history, playing video games, and cooking all kinds of international cuisine.
You don't necessarily need to be able to run scripts to engage in malicious activities. Keylogging can be done using just HTML and CSS (though it requires special processing server-side to work), and it's absolutely possible to do any number of nasty things with carefully crafted text or embedded objects (images, videos, etc). The likelihood of persistently infecting a user's computer through such an attack is really low, but it's still theoretically possible, and it's absolutely possible to do drive-by attacks that crash the browser or possibly even the whole system.
Welp, I completely forgot custom content (images, videos, links, ...). I guess commenting when you just got up really isn't the best idea. Thanks for clearing it up though, I'm just gonna run head first into a wall because I didn't think of it when writing the comment
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Agree to pretty much all of what you said but I'm struggling at one part, maybe you can help me out a little haha.
If I understand you correctly, we'd say dev.to allows us to create subdomains. So now I create m.dev.to and send out that link in the hopes someone clicks on it. How would that be malicious? The site would still need me to allow to run scripts of any sort, right?
Am I missing the obvious here?
You don't necessarily need to be able to run scripts to engage in malicious activities. Keylogging can be done using just HTML and CSS (though it requires special processing server-side to work), and it's absolutely possible to do any number of nasty things with carefully crafted text or embedded objects (images, videos, etc). The likelihood of persistently infecting a user's computer through such an attack is really low, but it's still theoretically possible, and it's absolutely possible to do drive-by attacks that crash the browser or possibly even the whole system.
Welp, I completely forgot custom content (images, videos, links, ...). I guess commenting when you just got up really isn't the best idea. Thanks for clearing it up though, I'm just gonna run head first into a wall because I didn't think of it when writing the comment