site banner
naraburns  nihil supernum  2yr ago (text post)   4485 thread views

Small-Scale Question Sunday for October 30, 2022

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

4
Top Bottom Old Controversial Comments
Jump in the discussion.

No email address required.

Could you, say, send an API request to a bank from within your webpage, and then read the response and cookies from the host page? I'm thinking this would be blocked by both browser and site technology. This has to be what CORS is for, right? Not just to annoy me while I'm developing?

Yeah, it shouldn't matter, but if a site has e.g. an XSS vulnerability the attacker will need to be able to run some initial Javascript as the victim to kick it off. Sending an email so that they'll visit a specific page might be just that.

nothing bad can really happen to you just from following some random link.

Attackers can host exploit kits on the target site, which spray a bunch of exploits against your computer if you visit them. If your browser/plugins/extensions/OS isn't fully up to date this might very well successfully install malware. This was really relevant when I worked in IT security about 6 years ago but seems to have declined a lot recently; still, it shouldn't be dismissed out of hand quite yet.

Thanks for this, I hadn't heard of Exploit Kits before. That said, the vulnerability seems to come from the used-to-be-common experience where a browser would open an Adobe plugin or whatever, something which is uncommon-to-nonexistent nowadays. In the Wikipedia article the first source they site explaining what Exploit Kits are is an article from 2013!

I did ask for what's possible in the worst case scenario, so fair enough, but I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software. I guess this is another stupid question, but do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.

I'm still wondering if there are exploits that use a (modern) browser alone, without relying on opening other software.

Yeah. Any time there's a zero-day exploit for a browser you can be sure that attacks will start using it fairly quickly. For example, cursorily searching online I found an example of two from last year targeting Chrome in the wild.

Edit: Here's another relevant article, from this year: "Google Patches Third Actively Exploited Chrome Zero-Day of 2022"

do browser plugins even exist anymore? I can't remember the last time I saw a page with a plug-in.

I'd say Flash and Java are completely dead for any moderately recent website, yeah. Still, computers might have the plugins installed; perhaps for some internal corporate website that will never been updated. Other than that, I'd guess the Adobe PDF plugin should be fairly common too.

What is this place?

This website is a place for people who want to move past shady thinking and test their ideas in a court of people who don't all share the same biases. Our goal is to optimize for light, not heat; this is a group effort, and all commentators are asked to do their part.

The weekly Culture War threads host the most controversial topics and are the most visible aspect of The Motte. However, many other topics are appropriate here. We encourage people to post anything related to science, politics, or philosophy; if in doubt, post!

Check out The Vault for an archive of old quality posts. You are encouraged to crosspost these elsewhere.


Why are you called The Motte?

A motte is a stone keep on a raised earthwork common in early medieval fortifications. More pertinently, it's an element in a rhetorical move called a "Motte-and-Bailey", originally identified by philosopher Nicholas Shackel. It describes the tendency in discourse for people to move from a controversial but high value claim to a defensible but less exciting one upon any resistance to the former. He likens this to the medieval fortification, where a desirable land (the bailey) is abandoned when in danger for the more easily defended motte. In Shackel's words, "The Motte represents the defensible but undesired propositions to which one retreats when hard pressed."

On The Motte, always attempt to remain inside your defensible territory, even if you are not being pressed.


New post guidelines

If you're posting something that isn't related to the culture war, we encourage you to post a thread for it. A submission statement is highly appreciated, but isn't necessary for text posts or links to largely-text posts such as blogs or news articles; if we're unsure of the value of your post, we might remove it until you add a submission statement. A submission statement is required for non-text sources (videos, podcasts, images).

Culture war posts go in the culture war thread; all links must either include a submission statement or significant commentary. Bare links without those will be removed.

If in doubt, please post it!


Rules


Recommended Posts And Communities

Recommended Realtime Chats