|
|
|
|
|
|
by redmorphium
2144 days ago
|
|
|
It could be serious. Let's say your company's code is open-source, and the attacker knows there is code somewhere like this: let state = getState(); // returns empty {} if user not authenticated
if (!state.userIsAuthenticated) {
respond(401);
}
showBankAccount();
If the hacker is able to set `Object.prototype.userIsAuthenticated` then the auth check is now bypassed.So I think the break / DDOS is pretty serious here. |
|
|