If you have say an HTML5 games arcade, that allows users to upload a script that runs a game with HTML5 and Javascript, assuming you have no filters on their input (apart from only allowing JS and HTML), what are the potential security risks and pitfalls?
One unlikely possibility is that if the games are popular, they could have a dormant ddos script inside them that can launch a ddos attack if the games are popular enough.
Stealing cookies is another, but if anyone has a prehensive list, or any other ideas it would be interesting to hear them.
If you have say an HTML5 games arcade, that allows users to upload a script that runs a game with HTML5 and Javascript, assuming you have no filters on their input (apart from only allowing JS and HTML), what are the potential security risks and pitfalls?
One unlikely possibility is that if the games are popular, they could have a dormant ddos script inside them that can launch a ddos attack if the games are popular enough.
Stealing cookies is another, but if anyone has a prehensive list, or any other ideas it would be interesting to hear them.
Share Improve this question edited Feb 8, 2011 at 10:47 Marcel Korpel 21.8k6 gold badges62 silver badges80 bronze badges asked Feb 8, 2011 at 10:43 Tom GullenTom Gullen 61.7k88 gold badges291 silver badges469 bronze badges 2- Which users will run the scripts ? only the uploader or anybody? if anybody, they could for example listen key inputs and steal passwords. – BiAiB Commented Feb 8, 2011 at 10:52
- The example I propose is that the games are uploaded to an online arcade, which anyone from the public can have a go on. The game could be part of a dynamic site with potential sensitive information as well. – Tom Gullen Commented Feb 8, 2011 at 10:56
4 Answers
Reset to default 3Allowing javascript to be uploaded an run opens up quite a lot of options for an attacker.
See Cross Site Scripting (wikipeda) and on OWASP.
In general - if you allow this, then an attacker can post any code, redirect users, exploit their browsers, install viruses and more.
Only my two cents..
One risk is when someone uploads a script that redirects the user to malicious website and that website is doing nasty stuff - user never intended to reach that website surely not via arcade game.
Writing a bot that wins.
Then the game would quickly move to writing a better bot to beat the other bots ;)
If you load these scripts in an iframe with another domain, subdomain, port or protocol, the same origin policy will prevent these script to read the content of the main page.
And you can set a string munication between these iframe and your main page through window.postMessage for modern browser or using the window.name hack for older browsers.
And to prevent cookie stealing, you can have a secret key in your main page that you send back to your server for each request.
Check the links below which i found helpful for understanding the possibilities.
http://ejohn/blog/javascript-based-injection-attacks/
http://google-caja.googlecode./svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js//google/caja/interp/index.html