Total.js RCE gadgets all around
3 points by sjamaan
3 points by sjamaan
This is literally a bunch of code speed running every XSS for the last 25 years.
Not a single one of these attacks is new, or novel.
The only difference is that the authors decided it made sense to make a “native” app rather than at least running it a browser where there are developers who have any clue about safety or security.
To head off “this is meant to be use for safe content”, it objectively is not: it expects people to make queries and similar for string values. The moment that happens string concatenation and evaluation in any way is unsafe.
Again: non of this new in JS - not doing this kind of thing is baseline competence.
Knowing that this is an unsafe way to do any of this isn’t even unique to JS, so it’s not reasonable to claim coming from other languages.
Just wow.