Dumbbox Hooks?



  • Does DumbBox raise any events client-side after it's done rendering?

    I'd like to attach a javascript event to that (the same way NodeBB raises action:posts_loaded and shit like that).



  • @Lorne-Kates iframely is completely server-side. If whitelisted third party websites do stupid things, that's not something I can control.


  • BINNED

    @ben_lubar said in Dumbbox Hooks?:

    If whitelisted third party websites do stupid things

    like receiving a request for every keystroke someone makes in a browser text box that happens to have a link to the site included in it? Yeah, stupid third party websites


  • sockdevs

    @ben_lubar said in Dumbbox Hooks?:

    @Lorne-Kates iframely is completely server-side. If whitelisted third party websites do stupid things, that's not something I can control.

    so what you're saying is we need to set th elist of whitelisted sites to ""?



  • @ben_lubar said in Dumbbox Hooks?:

    @Lorne-Kates iframely is completely server-side. If whitelisted third party websites do stupid things, that's not something I can control.

    How can it be completely server-side?

    Maybe I'm just thinking of the Twitter dumbbox?

    If I post this: https://twitter.com/RiffTrax/status/792048288841080832

    It will hit the client as this: https://twitter.com/RiffTrax/status/792048288841080832

    And then something client-side happens and it becomes this:



  • @Lorne-Kates this is the rendered content of the post:

    <p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/1">@ben_lubar</a> said in <a href="/post/1026381">Dumbbox Hooks?</a>:</p>
    <blockquote>
    <p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/21">@Lorne-Kates</a> iframely is completely server-side. If whitelisted third party websites do stupid things, that&#39;s not something I can control.</p>
    </blockquote>
    <p>How can it be completely server-side?</p>
    <p>Maybe I&#39;m just thinking of the Twitter dumbbox?</p>
    <p>If I post this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
    <p>It will hit the client as this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
    <p>And then something client-side happens and it becomes this:</p>
    <div class="iframely-link">
    
    	
    
    	<div class="iframely-container">
    		<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Our deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. <a href="https://t.co/859wGYP6cW">https://t.co/859wGYP6cW</a> <a href="https://t.co/RXIITh6qjs">pic.twitter.com/RXIITh6qjs</a></p>&mdash; RiffTrax (@RiffTrax) <a href="https://twitter.com/RiffTrax/status/792048288841080832">October 28, 2016</a></blockquote>
    <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
    	</div>
    </div>
    

    Which is from Twitter's oEmbed API:

    {"url":"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832","author_name":"RiffTrax","author_url":"https:\/\/twitter.com\/RiffTrax","html":"\u003Cblockquote class=\"twitter-tweet\"\u003E\u003Cp lang=\"en\" dir=\"ltr\"\u003EOur deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. \u003Ca href=\"https:\/\/t.co\/859wGYP6cW\"\u003Ehttps:\/\/t.co\/859wGYP6cW\u003C\/a\u003E \u003Ca href=\"https:\/\/t.co\/RXIITh6qjs\"\u003Epic.twitter.com\/RXIITh6qjs\u003C\/a\u003E\u003C\/p\u003E&mdash; RiffTrax (@RiffTrax) \u003Ca href=\"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832\"\u003EOctober 28, 2016\u003C\/a\u003E\u003C\/blockquote\u003E\n\u003Cscript async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"\u003E\u003C\/script\u003E","width":550,"height":null,"type":"rich","cache_age":"3153600000","provider_name":"Twitter","provider_url":"https:\/\/twitter.com","version":"1.0"}
    

  • sockdevs

    @ben_lubar said in Dumbbox Hooks?:

    @Lorne-Kates this is the rendered content of the post:

    <p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/1">@ben_lubar</a> said in <a href="/post/1026381">Dumbbox Hooks?</a>:</p>
    <blockquote>
    <p><a class="plugin-mentions-a" href="https://what.thedailywtf.com/uid/21">@Lorne-Kates</a> iframely is completely server-side. If whitelisted third party websites do stupid things, that&#39;s not something I can control.</p>
    </blockquote>
    <p>How can it be completely server-side?</p>
    <p>Maybe I&#39;m just thinking of the Twitter dumbbox?</p>
    <p>If I post this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
    <p>It will hit the client as this: <a href="https://twitter.com/RiffTrax/status/792048288841080832" rel="nofollow">https://twitter.com/RiffTrax/status/792048288841080832</a></p>
    <p>And then something client-side happens and it becomes this:</p>
    <div class="iframely-link">
    
    	
    
    	<div class="iframely-container">
    		<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Our deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. <a href="https://t.co/859wGYP6cW">https://t.co/859wGYP6cW</a> <a href="https://t.co/RXIITh6qjs">pic.twitter.com/RXIITh6qjs</a></p>&mdash; RiffTrax (@RiffTrax) <a href="https://twitter.com/RiffTrax/status/792048288841080832">October 28, 2016</a></blockquote>
    <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
    	</div>
    </div>
    

    Which is from Twitter's oEmbed API:

    {"url":"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832","author_name":"RiffTrax","author_url":"https:\/\/twitter.com\/RiffTrax","html":"\u003Cblockquote class=\"twitter-tweet\"\u003E\u003Cp lang=\"en\" dir=\"ltr\"\u003EOur deal of the week is the Mario Bros movie that never should have been made. Seeing is believing. \u003Ca href=\"https:\/\/t.co\/859wGYP6cW\"\u003Ehttps:\/\/t.co\/859wGYP6cW\u003C\/a\u003E \u003Ca href=\"https:\/\/t.co\/RXIITh6qjs\"\u003Epic.twitter.com\/RXIITh6qjs\u003C\/a\u003E\u003C\/p\u003E&mdash; RiffTrax (@RiffTrax) \u003Ca href=\"https:\/\/twitter.com\/RiffTrax\/status\/792048288841080832\"\u003EOctober 28, 2016\u003C\/a\u003E\u003C\/blockquote\u003E\n\u003Cscript async src=\"\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"\u003E\u003C\/script\u003E","width":550,"height":null,"type":"rich","cache_age":"3153600000","provider_name":"Twitter","provider_url":"https:\/\/twitter.com","version":"1.0"}
    

    so...... the solution is to dewhitelist twitter.

    got it.

    also why the absolute fuck is that embedded directly into the page rather than being sandboxed in a onebox?

    that's just ASKING for someone to do a trivial XSS attack against you.



  • @accalia said in Dumbbox Hooks?:

    that's just ASKING for someone to do a trivial XSS attack against you.

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    You know, trivial stuff.


  • sockdevs

    @ben_lubar said in Dumbbox Hooks?:

    just trivially get whitelisted by iframely o

    i've seen the default iframely whitelist.

    believe me, crafting an XSS based on that whitelist is trivial.

    and twitter's had successful XSS attacks before.


  • I survived the hour long Uno hand

    This post is deleted!

  • Winner of the 2016 Presidential Election

    @accalia said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    just trivially get whitelisted by iframely o

    i've seen the default iframely whitelist.

    believe me, crafting an XSS based on that whitelist is trivial.

    and twitter's had successful XSS attacks before.

    The best way to get banned your bug fixed is to post a proof-of-concept, preferably an annoying or disruptive one.

    I got jsfiddle blacklisted but quick.


    Filed under: If I XSS myself into being a moderator, can I keep it?



  • @error said in Dumbbox Hooks?:

    If I XSS myself into being a moderator, can I keep it?

    Yes, but since mods don't do anything, you can't either. =)



  • @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?


  • sockdevs

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.


  • Impossible Mission Players - A

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    Unsanitized title string, right?


  • sockdevs

    @Tsaukpaetra said in Dumbbox Hooks?:

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    Unsanitized title string, right?

    indeed.



  • @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    That's my point.


  • sockdevs

    @Lorne-Kates said in Dumbbox Hooks?:

    @accalia said in Dumbbox Hooks?:

    @Lorne-Kates said in Dumbbox Hooks?:

    @ben_lubar said in Dumbbox Hooks?:

    Yeah, just trivially get whitelisted by iframely on the same level that Twitter is, or trivially inject malicious code into Twitter's CDN.

    Wasn't Youtube whitelisted on DickHoressss?

    yep. and we found an XSS vulnerability there too.

    That's my point.

    mine too actually


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.