|
|
|
|
|
|
by FiddlyPack
2630 days ago
|
|
|
Highlights, to me: - do not trust localStorage - quote: The most challenging pattern in our dataset consists of scenarios in which applications use the persistence mechanisms to deliberately store HTML or JavaScript code, e.g., for client-side caching purposes. In this setting, the attacker is able to completely overwrite the contents of the corresponding storage entry with their own code. We could identify in several cases these flaws are actually introduced by third-party libraries, among them CloudFlare and Criteo. |
|
|
Taking client-controlled storage and inserting it unsafely into the DOM sounds like a bad idea, although it's not something that is popularly discussed as a trust boundary so awareness is key (this article is a great example).