DEV Community

Discussion on: I tried to mount a client-side "attack" on a news website poll by using only Javascript. And I failed miserably.

Collapse
jonsamp profile image
Jon Samp

If you’re open to running a script from outside the website (a node script), you could use a tool like puppeteer to open a web page, then have it click on the poll, then have it repeat the process indefinitely. It would mimic a real user so there would be no CORS issues. This is similar to how you would end-to-end test a website, but in this case you’d be “testing” another site.

Collapse
ispoljari profile image
Ivan Spoljaric Author • Edited

Hey. Thx for the comment. I thought of a Node.js approach to bypass CORS. Not sure if it would work though - because iframes are weird. In any case that wouldn't be a client-side "attack" anymore.

Collapse
Sloan, the sloth mascot
Comment deleted
ispoljari profile image
Ivan Spoljaric Author • Edited

True. But unlike browsers Node.js servers don't implement the Same Origin Policy. So technically speaking, yeah, you are still a "client" for the target BE - although somewhat different - even though you are running your script from a server. Maybe I should have been more precise and called it a "browser-side attack".

Based on experience, i know it would be easier to try this from the server side because there are no CORS related issues. I am just not sure what would happen if I tampered with iframes in this scenario. I'll have to test this out.