this post was submitted on 10 Jul 2023
476 points (99.2% liked)
Fediverse
17724 readers
95 users here now
A community dedicated to fediverse news and discussion.
Fediverse is a portmanteau of "federation" and "universe".
Getting started on Fediverse;
- What is the fediverse?
- Fediverse Platforms
- How to run your own community
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'm not particularly familiar with XSS but I'm curious how a frontend exploit can compromise an instance?
Presumably the injected XSS stores the admin's JWT somewhere for the exploiter?
Then using that JWT they can effectively login as the admin which gives them access to whatever admin dashboard there is, but does that actually compromise the backend at all?
edit: for anyone curious there's a bit of a breakdown of how it works here: https://feddit.win/comment/244427
To answer your other questions: