|
|
|
|
|
|
by mike_hearn
3190 days ago
|
|
|
The article was updated. Apparently there were two different XSS at the same time. One is the exploit I describe above: data taken from the block chain was not escaped properly. Another is a more "traditional" XSS. It was possible to format a URL such that it contained script tags that were injected into the page. https://github.com/etherdelta/etherdelta.github.io/issues/14... The reason is, the data after the hash was not escaped. Perhaps a fuzzer would have caught that. But a good tool would make it hard to make such mistakes by default. A desktop app would not have suffered from such errors, by construction. The web is not a good tool. |
|
|
While you are correct it would not of suffered from this particular vulnerability, a improperly utilized malloc for example could have similar if not more disastrous effects and would be exploitable under the same threat model. Yet I wouldn't call it a bad tool, just a tool used by an inexperienced carpenter.