On a client's corporate network something is stripping all <script> elements that contain code, i.e. things like <script type="text/javascript">do_something();</script> will simply be stripped from server response before it reaches the browser. SSL doesn't help (and of course, the certificate appears broken even though it's perfectly valid).
On the other hand, HTML elements like <script src="/something.js"></script> aren't getting stripped and run in the browser just fine.
My question:
Is there any security benefit from such stripping?
I certainly can't see one... XSS comes to mind, but if someone is going to do a XSS attach, they'll probably try the variant with src, no?
And a side-question: what software could they be using? Or better yet, what can I use to emulate that situation on my Mac or PC where the development happens?
Aucun commentaire:
Enregistrer un commentaire