Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What makes JSFiddle secure from XSS based attacks? [closed]

Tags:

I am curious, what makes www.jsfiddle.net secure from XSS based attacks? They have a support for accounts so clearly any script they run on the browser may do evil things.

like image 816
Tower Avatar asked Jul 18 '11 11:07

Tower


People also ask

Can XSS be prevented without modifying the source code?

One of the most common XSS attacks is the theft of cookies (especially session ids). The HttpOnly flag was created to mitigate this threat by ensuring that Cookie values cannot be accessed by client side scripts like JavaScript. This is accomplished by simply appending " ; HttpOnly " to a cookie value.

Is JavaScript the only way to perform XSS attacks?

However, Javascript and HTML are mostly used to perform this attack. This attack can be performed in different ways. Depending upon the type of XSS attack, the malicious script may be reflected on the victim's browser or stored in the database and executed every time, when the user calls the appropriate function.


1 Answers

If you look at the results pane for a fiddle you'll notice that it's actually an IFRAME pointing to a different domain which means that built in security will kick in which generally prevents access to the parent window.

This fiddle for example : http://jsfiddle.net/jomanlk/y9zCK/

Is actually served by : http://fiddle.jshell.net/jomanlk/y9zCK/show/

like image 190
JohnP Avatar answered Sep 19 '22 15:09

JohnP