HTML allows embedding content from different websites. Nothing stops me from including
<img src="https://target.com/image.png"> <iframe src="https://www.example.com"></iframe> on my page. And it costs me less than 250 bytes (depending on target url and compression). In one HTML page I can include even thousands of images, maybe js script to unload them after they were loaded, so that OOM killer won't engage (and user won't notice).
Just thinking... If I were to create a provocative article, then post it on Reddit get a bunch of visitors. A single visitor can generate as much traffic as I want, as long as they are on the page.
How much would it cost to host a single 20kb HTML page? I guess this is a free tier for most hosting providers.
Have such attacks been carried out before?
Edit: Just discovered that ``iframe`` can not be used because of ``X-Frame-Options``. But ``img`` still works.
[link] [comments]
from hacking: security in practice https://ift.tt/AFalQsW
Comments
Post a Comment