|
|
|
|
|
|
by lxgr
888 days ago
|
|
|
> I don't think they mean to say that pages behind authentication were successfully loaded without authenticating. Hm, are you sure? From the article: > Would render and execute all scripts on that page as if it was that user > [...] scans pages by grabbing the page contents, sending it to a render queue and then processing it [...] I know a system that fits the bill for the observed behavior: https://news.ycombinator.com/item?id=39051083 But apparently PAN can do it too: https://news.ycombinator.com/item?id=39051077 |
|
|
> > Would render and execute all scripts on that page as if it was that user
If there is a valid user ID (or other user/session identifier) in the request URL or body, but not valid auth cookies, the system may respond with a page that references the same scripts as the user would get but with no data. In that case the scripts would run (perhaps requesting further resources, directly or by placing things that reference them into the DOM, which is how they know the scripts ran) as they would for the user but just render a “no data” message where the information would be.