site banner

Small-Scale Question Sunday for October 30, 2022

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

4
Jump in the discussion.

No email address required.

Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?

Yeah, it shouldn't matter, but if a site has e.g. an XSS vulnerability the attacker will need to be able to run some initial Javascript as the victim to kick it off. Sending an email so that they'll visit a specific page might be just that.

nothing bad can really happen to you just from following some random link.

Attackers can host exploit kits on the target site, which spray a bunch of exploits against your computer if you visit them. If your browser/plugins/extensions/OS isn't fully up to date this might very well successfully install malware. This was really relevant when I worked in IT security about 6 years ago but seems to have declined a lot recently; still, it shouldn't be dismissed out of hand quite yet.

Thanks for this, I hadn't heard of Exploit Kits before. That said, the vulnerability seems to come from the used-to-be-common experience where a browser would open an Adobe plugin or whatever, something which is uncommon-to-nonexistent nowadays. In the Wikipedia article the first source they site explaining what Exploit Kits are is an article from 2013!

I did ask for what's possible in the worst case scenario, so fair enough, but I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software. I guess this is another stupid question, but do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.

I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software.

Yeah. Any time there's a zero-day exploit for a browser you can be sure that attacks will start using it fairly quickly. For example, cursorily searching online I found an example of two from last year targeting Chrome in the wild.

Edit: Here's another relevant article, from this year: "Google Patches Third Actively Exploited Chrome Zero-Day of 2022"

do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.

I'd say Flash and Java are completely dead for any moderately recent website, yeah. Still, computers might have the plugins installed; perhaps for some internal corporate website that will never been updated. Other than that, I'd guess the Adobe PDF plugin should be fairly common too.