How badly should I try to prevent a user from XSSing themselves? The Next CEO of Stack OverflowHow to best defend against Targeted Attacks?How to prevent my website from getting malware injection attacks?CodeIgniter CSRF confusionHow to prevent XSS from urlHow do the Stack Exchange sites protect themselves from XSS?How to prevent data from Interception?Safely downloading user submitted contentShould we prevent this login XSS attack?How to prevent XSS in user-generated content (html) without disabling scripts and CSSa mysterious & pointless long-term hacking attempt?

Is it correct to say moon starry nights?

MT "will strike" & LXX "will watch carefully" (Gen 3:15)?

Is a distribution that is normal, but highly skewed, considered Gaussian?

Is it possible to make a 9x9 table fit within the default margins?

How should I connect my cat5 cable to connectors having an orange-green line?

Early programmable calculators with RS-232

What is the difference between 'contrib' and 'non-free' packages repositories?

Airship steam engine room - problems and conflict

Avoiding the "not like other girls" trope?

How to find if SQL server backup is encrypted with TDE without restoring the backup

How can the PCs determine if an item is a phylactery?

How to pronounce fünf in 45

Read/write a pipe-delimited file line by line with some simple text manipulation

Free fall ellipse or parabola?

How does a dynamic QR code work?

Can this transistor (2n2222) take 6V on emitter-base? Am I reading datasheet incorrectly?

Is this a new Fibonacci Identity?

What difference does it make matching a word with/without a trailing whitespace?

A hang glider, sudden unexpected lift to 25,000 feet altitude, what could do this?

Ising model simulation

Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere?

That's an odd coin - I wonder why

Simplify trigonometric expression using trigonometric identities

Find a path from s to t using as few red nodes as possible



How badly should I try to prevent a user from XSSing themselves?



The Next CEO of Stack OverflowHow to best defend against Targeted Attacks?How to prevent my website from getting malware injection attacks?CodeIgniter CSRF confusionHow to prevent XSS from urlHow do the Stack Exchange sites protect themselves from XSS?How to prevent data from Interception?Safely downloading user submitted contentShould we prevent this login XSS attack?How to prevent XSS in user-generated content (html) without disabling scripts and CSSa mysterious & pointless long-term hacking attempt?










2















Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)



How horrible would it be to allow some XSS vulnerability in this data?



Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?



Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).



My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?










share|improve this question






















  • How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it

    – Crumblez
    5 hours ago















2















Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)



How horrible would it be to allow some XSS vulnerability in this data?



Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?



Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).



My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?










share|improve this question






















  • How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it

    – Crumblez
    5 hours ago













2












2








2








Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)



How horrible would it be to allow some XSS vulnerability in this data?



Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?



Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).



My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?










share|improve this question














Let's say a user can store some data in a web app. I'm now only talking about that sort of data the user can THEMSELVES view, not that is intended to be viewed by other users of the webapp. (Or if other users may view this data then it is handled to them in a more secure way.)



How horrible would it be to allow some XSS vulnerability in this data?



Of course, a purist's answer would clearly be: "No vulnerabilities are allowed". But honestly - why?



Everything that is allowed is the user XSSing THEMSELVES. What's the harm here? Other users are protected. And I can't see a reason why would someone mount an attack against themselves (except if it is a harmless one, in which case - again - no harm is done).



My gut feelings are that the above reasoning will raise some eyebrows... OK, then what am I failing to see?







xss attacks






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 5 hours ago









gaazkamgaazkam

1,3162819




1,3162819












  • How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it

    – Crumblez
    5 hours ago

















  • How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it

    – Crumblez
    5 hours ago
















How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it

– Crumblez
5 hours ago





How can you limit the scope of an XSS vuln to just some data? This is asking to open the door to everything getting compromised. Don't be lazy with it

– Crumblez
5 hours ago










2 Answers
2






active

oldest

votes


















3














This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it as shown here



Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.






share|improve this answer






























    0














    Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:



    <html>
    <head><title>HI</title></head>
    <body>
    <h1>WEBSITE</h1>
    Hey my name is <travis>.
    </body>
    </html>


    Note that when this website is rendered, the word 'travis', is not rendered.






    share|improve this answer























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206579%2fhow-badly-should-i-try-to-prevent-a-user-from-xssing-themselves%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      3














      This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it as shown here



      Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.






      share|improve this answer



























        3














        This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it as shown here



        Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.






        share|improve this answer

























          3












          3








          3







          This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it as shown here



          Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.






          share|improve this answer













          This is actually a real concept, "Self XSS" which is sufficiently common that if you open https://facebook.com and then open the developer tools, they warn you about it as shown here



          Obviously Facebook is a specific type of target and whether this issue matters to you or not, would depend on the exact nature of your site, but you may not be able to discount the idea of one user using social engineering techniques to get another user to attack themselves.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 5 hours ago









          Rоry McCuneRоry McCune

          52.7k13113187




          52.7k13113187























              0














              Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:



              <html>
              <head><title>HI</title></head>
              <body>
              <h1>WEBSITE</h1>
              Hey my name is <travis>.
              </body>
              </html>


              Note that when this website is rendered, the word 'travis', is not rendered.






              share|improve this answer



























                0














                Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:



                <html>
                <head><title>HI</title></head>
                <body>
                <h1>WEBSITE</h1>
                Hey my name is <travis>.
                </body>
                </html>


                Note that when this website is rendered, the word 'travis', is not rendered.






                share|improve this answer

























                  0












                  0








                  0







                  Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:



                  <html>
                  <head><title>HI</title></head>
                  <body>
                  <h1>WEBSITE</h1>
                  Hey my name is <travis>.
                  </body>
                  </html>


                  Note that when this website is rendered, the word 'travis', is not rendered.






                  share|improve this answer













                  Although you are right in that it might not matter so much from an attack point of view. From a usability point of view, the user might come across some 'unexpected behavior'. A while ago I used to have to work with software that had an obvious SQL injection problem (contractors couldn't/wouldn't fix it). This meant that unexpecting users would enter in something seemingly harmless such as their name "O'Brien", which would trigger an SQL injection and for computer illiterate people it was unexpected behavior. It is probably less likely with XSS, however consider the following if a user uses <> instead of () the data might seem to disappear. A proof of concept is below:



                  <html>
                  <head><title>HI</title></head>
                  <body>
                  <h1>WEBSITE</h1>
                  Hey my name is <travis>.
                  </body>
                  </html>


                  Note that when this website is rendered, the word 'travis', is not rendered.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 4 hours ago









                  meowcatmeowcat

                  1644




                  1644



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f206579%2fhow-badly-should-i-try-to-prevent-a-user-from-xssing-themselves%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Disable / Remove link to Product Items in Cart Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?How can I limit products that can be bought / added to cart?Remove item from cartHide “Add to Cart” button if specific products are already in cart“Prettifying” the custom options in cart pageCreate link in cart sidebar to view all added items After limit reachedLink products together in checkout/cartHow to Get product from cart and add it againHide action-edit on cart page if simple productRemoving Cart items - ObserverRemove wishlist items when added to cart

                      Helsingin valtaus Sisällysluettelo Taustaa | Yleistä sotatoimista | Osapuolet | Taistelut Helsingin ympäristössä | Punaisten antautumissuunnitelma | Taistelujen kulku Helsingissä | Valtauksen jälkeen | Tappiot | Muistaminen | Kirjallisuutta | Lähteet | Aiheesta muualla | NavigointivalikkoTeoksen verkkoversioTeoksen verkkoversioGoogle BooksSisällissota Helsingissä päättyi tasan 95 vuotta sittenSaksalaisten ylivoima jyräsi punaisen HelsinginSuomalaiset kuvaavat sotien jälkiä kaupungeissa – katso kuvat ja tarinat tutuilta kulmiltaHelsingin valtaus 90 vuotta sittenSaksalaiset valtasivat HelsinginHyökkäys HelsinkiinHelsingin valtaus 12.–13.4. 1918Saksalaiset käyttivät ihmiskilpiä Helsingin valtauksessa 1918Teoksen verkkoversioTeoksen verkkoversioSaksalaiset hyökkäävät Etelä-SuomeenTaistelut LeppävaarassaSotilaat ja taistelutLeppävaara 1918 huhtikuussa. KapinatarinaHelsingin taistelut 1918Saksalaisten voitonparaati HelsingissäHelsingin valtausta juhlittiinSaksalaisten Helsinki vuonna 1918Helsingin taistelussa kaatuneet valkokaartilaisetHelsinkiin haudatut taisteluissa kaatuneet punaiset12.4.1918 Helsingin valtauksessa saksalaiset apujoukot vapauttavat kaupunginVapaussodan muistomerkkejä Helsingissä ja pääkaupunkiseudullaCrescendo / Vuoden 1918 Kansalaissodan uhrien muistomerkkim

                      Adjektiivitarina Tarinan tekeminen | Esimerkki: ennen | Esimerkki: jälkeen | Navigointivalikko