All geek questions in one place

What are the risks that allow users to download and run Javascript

If you say that the arcade for HTML5 games allows users to download a script that launches the game with HTML5 and Javascript, if you do not have filters on their input (except for JS and HTML), what are potential security threats and pitfalls?

One unlikely possibility is that if the games are popular, they may have an inactive ddos ​​script inside them that can launch a ddos ​​attack if the games are popular enough.

Theft of cookies is different, but if anyone has an exhaustive list or any other ideas, it would be interesting to hear them.

+4
source share
4 answers

Providing javascript to load the launch opens up quite a few options for the attacker.

See the script for several sites (wikipeda) and OWASP .

In general, if you allow this, an attacker can publish any code, redirect users, use their browsers, install viruses, etc.

+3
source

Only my two cents.

One of the risks is that someone downloads a script that redirects the user to a malicious website, and this website does unpleasant things - the user was never going to get to this website, of course, not through an arcade game.

+2
source

Writing a bot that wins.
Then the game will quickly move on to writing the best bot to defeat other bots;)

If you load these scripts in an iframe with a different domain, subdomain, port or protocol, the same origin policy will prevent these scripts from reading the contents of the main page.

And you can establish a string connection between these iframe and the main page through window.postMessage for a modern browser or using window.name hack for older browsers.

And to prevent theft of cookies, you can have a secret key on your main page, which you send back to your server for each request.

+2
source

Source: https://habr.com/ru/post/1338827/

More articles:


All Articles