a question on the HTML Submit and why it is dangerous

Discussion in 'other security issues & news' started by lucd, May 9, 2019.

  1. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    218
    Location:
    Island of Woman
    sry for title I don't even know how to call it, I am not a web developper (yet)
    so imagine you are on a site hosted by ppl with malicious intentions, what can be done with the uploading function when u open up a window, you select your files and you upload,
    example video streaming site that lets you upload your own subtitles

    is this is like establishing a remote connection (can it be potentially used this way ), can I give them access if hit the upload thingy , apart clicking unknown links sort of danger
     
    Last edited: May 10, 2019
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,962
    That's always possible.

    And "malicious intentions" can range from "track you" to "pwn you".

    But anyway, if you knowingly visit dangerous sites, you ought at least to be using a Linux LiveCD in a VM. And better, on a machine that you will never trust as secure.
     
  3. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    218
    Location:
    Island of Woman
    my bad my description sucked, fixed hopefully

    I can imagine you can be pwn if you download the file back from them, or third party cookies (tracking == not pwned but still sucks)
    but not what I am interested in

    imagine an extension conversion site, or freeOCR or pic hosting sites, these are the types I mention or a video host site where you can upload a subtitle, there are so many that some of them will be malicious to some extent (I wouldn't go there intentionally but I could be a victim unknowlingly)

    I've read somewhere, once that if you open a window for uploading from your pc you kinda open a remote access to them, like opening a door, but now I google this and I can't find anything informative - that began to gnaw on me
     
    Last edited: May 13, 2019
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,962
    As I understand it, it's the browser that prepares information to be uploaded. For GET, data gets appended to the URL. For POST, it gets appended to the body of the request. At no time can the server directly access your file system. Unless it drops malware, anyway.
     
  5. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    218
    Location:
    Island of Woman
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.