Man oh man I used to think the same but I took infosec training.
That taught me little. I held onto the belief hacking a target by website is only for really dumb victims.
Then I started reading Bug Bounty reports on HackerOne and BugCrowd and was terrified at people doing account takeovers with CSRF attacks on oft overlooked functionality in no name sites like Twitter or FB.
That humbled me real quick.
As an aside, FB has to put a stupid interactive prompt to not open the browser JS console unless you type a key code. In an era where people will misguidedly copy paste into that, it is real brazen to believe token stealing and other CSRF vectors are not footholds and do not really happen.
I presume I just misunderstood you, but I wanted to go on the record for those on HN secretly believing this position and call them nuts.
Also, bug bounties are not representative of real attacks.
I've written my own share of complicated exploits, but from an actual defense perspective... that's not how people are getting hacked IRL. It's all word macros and sqlmap.
Having worked in IR in various capacities in the past, I'd like to point out that many intrusions are not shared publicly. There are definitely targeted intrusions that begin with XSS or CSRF, you just don't hear about them.
As for the majority of hacks being something else I full on agree. I think phishing for credentials and malware installs, and leaked credentials in recent years, makes up the majority of intrusions. Many of those are opportunistic though and not necessarily targeted
So, I acknowledge there are breaches which started with XSS (Atlassian, etc), but even when you look at breaches that started with "client-side web bugs", how many of those are CSRF rather than XSS? Probably only a fraction, since they're shittier bugs.
And then, from the pool of "client-side web bugs", how many involve browser bugs?
This is just such a tail risk that it's hard to make myself care.
That taught me little. I held onto the belief hacking a target by website is only for really dumb victims.
Then I started reading Bug Bounty reports on HackerOne and BugCrowd and was terrified at people doing account takeovers with CSRF attacks on oft overlooked functionality in no name sites like Twitter or FB.
That humbled me real quick.
As an aside, FB has to put a stupid interactive prompt to not open the browser JS console unless you type a key code. In an era where people will misguidedly copy paste into that, it is real brazen to believe token stealing and other CSRF vectors are not footholds and do not really happen.
I presume I just misunderstood you, but I wanted to go on the record for those on HN secretly believing this position and call them nuts.