Code Monkey home page Code Monkey logo

lock's Issues

Remake

Remake

This is a plan to start Lock from scratch, changing everything (including the name).
This will be updated as more things are added, feel free to comment on the changes.

Roadmap

API-Based

  • Two completely separate things.
    • Client (makes request to API)
    • API (updates DB and returns encrypted JSON data back to client)
  • API over generating HTML

Security

  • Encrypted data sent to client, which has the ability to decrypt data and present to user
  • Client sends encrypted data
  • Server does not have access to any raw data

Images

  • Send images instead of just text

Use Cases

  • Sending wifi passwords ๐Ÿ˜‰
  • Make a giveaway
    • First person to click the link included in the message wins!
  • Simple messaging with friends

Designs

  • A list of designs will be available here soon

Goal

  • Provide an easy way to send self destructing messages.
  • Not responsible if user sends sensitive data that is screenshotted

Recode

I need to recode everything as the methods used in this just aren't efficient. :(

Stored XSS

Hi KingPixil,

Lock is vulnerable to stored XSS, a form of code injection wherein one can execute malicious scripts into a page.

Why does this vulnerability exist?

Cross-site scripting exists whenever input can be interpreted as code. In this case you simply replace {{message}} in template.html with the user's message without escaping the input:

var renderDel = function(message) {
    return template.replace(/{{message}}/g, message);
}

Link: https://github.com/KingPixil/lock/blob/master/src/view.js#L6-L8

<div id="content">
    <h3 class="centered">{{message}}</h3>
    <h5 id="counter">5</h5>
</div>

Link: https://github.com/KingPixil/lock/blob/master/views/template/template.html#L22-L25

With the payload this looks as follows:

<div id="content">
    <h3 class="centered"><svg onload=alert(1)></h3>
    <h5 id="counter">5</h5>
</div>

The example above should open up an alert box displaying 1.

What are the exploits?

A cross-site scripting vulnerability allows an attacker to modify the page.

A very good list of malicious payloads can be found here: http://www.xss-payloads.com/payloads.html

How can this be prevented?

As mentioned before, all user input should be escaped.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.