undefined | Better HN

0 pointstptacek5y ago0 comments

XSS isn't ordinarily RCE, and XSS is generally much more common than the attacks that do reliably give RCE. It's notable that un-hardened Electron elevates XSS to RCE, because it means there are a lot more opportunities for RCE. That's the subtext of the comment you're replying to.

0 comments

a13692099935y ago

Yes it is? XSS lets you execute javascript code remotely; that's literally a subset of RCE. Are you talking about virtual machine escapes (running native machine code)?

tptacekOP5y ago

No, that is not remotely what practitioners mean by RCE.

a13692099935y ago

"Remote Code Execution" means the attacker can Execute Code Remotely, right? I guess you could classify the virtual machine as a (virtually) separate machine from the physical one, so that it's not a RCE on the machine you actually want to attack, but it's clearly executing code on some machine that the remote attacker isn't supposed to be able to execute code on.

1 more reply

j / k navigate · click thread line to collapse

0 pointstptacek5y ago0 comments

0 comments

a13692099935y ago

Yes it is? XSS lets you execute javascript code remotely; that's literally a subset of RCE. Are you talking about virtual machine escapes (running native machine code)?

tptacekOP5y ago

No, that is not remotely what practitioners mean by RCE.

a13692099935y ago

1 more reply

j / k navigate · click thread line to collapse