As a part of work, I\'ve come across content sniffing, and i understand web apps

Question

As a part of work, I've come across content sniffing, and i understand web apps can be vulnerable to xss because of it. There is another post, regarding content sniffing and xss, but didnt quite answer my question, or maybe i just misread it. content sniffing will read the file to try and determine what type of file it is. If there are malicious html tags, they may be rendered.

So say i go to www.xyz.com, it loads, (using chrome for this example), i right click --> view page source, copy the page source into an html file, save on my desktop, added a xss line within the page. I reload in chrome and page loads with the typical alert box. Now, because the modified html was loaded from my desktop, is this not a xss vulnerability on the website's end?

Explanation / Answer

No, loading an HTML file from your computer is never an XSS vulnerability. You can run whatever code you want locally, but that doesn't affect the website.

Cross-site scripting is about getting your code executed on other user's browsers so you can interact with their session for that site. Whether that is stealing a session cookie, performing actions, or any other interaction on the site, it has to be on another user. Running scripts on yourself is rather meaningless, you could do the action yourself!

Always consider: what could I do with this? If you can't do anything that affects the confidentiality, integrity, or availability of a service, then it's not a security vulnerability.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.