|
|
|
|
|
|
by 616c
3289 days ago
|
|
|
Man oh man I used to think the same but I took infosec training. That taught me little. I held onto the belief hacking a target by website is only for really dumb victims. Then I started reading Bug Bounty reports on HackerOne and BugCrowd and was terrified at people doing account takeovers with CSRF attacks on oft overlooked functionality in no name sites like Twitter or FB. That humbled me real quick. As an aside, FB has to put a stupid interactive prompt to not open the browser JS console unless you type a key code. In an era where people will misguidedly copy paste into that, it is real brazen to believe token stealing and other CSRF vectors are not footholds and do not really happen. I presume I just misunderstood you, but I wanted to go on the record for those on HN secretly believing this position and call them nuts. |
|
|
Also, bug bounties are not representative of real attacks.
I've written my own share of complicated exploits, but from an actual defense perspective... that's not how people are getting hacked IRL. It's all word macros and sqlmap.