I am curious, what makes www.jsfiddle.net secure from XSS based attacks? They have a support for accounts so clearly any script they run on the browser may do evil things.
One of the most common XSS attacks is the theft of cookies (especially session ids). The HttpOnly flag was created to mitigate this threat by ensuring that Cookie values cannot be accessed by client side scripts like JavaScript. This is accomplished by simply appending " ; HttpOnly " to a cookie value.
However, Javascript and HTML are mostly used to perform this attack. This attack can be performed in different ways. Depending upon the type of XSS attack, the malicious script may be reflected on the victim's browser or stored in the database and executed every time, when the user calls the appropriate function.
If you look at the results pane for a fiddle you'll notice that it's actually an IFRAME pointing to a different domain which means that built in security will kick in which generally prevents access to the parent window.
This fiddle for example : http://jsfiddle.net/jomanlk/y9zCK/
Is actually served by : http://fiddle.jshell.net/jomanlk/y9zCK/show/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With