There is a static site on GitHub Pages, where it is permissible to store only html, css and javascript. I read that static sites are less vulnerable to hacking, but not 100% .

Passwords are stored in a safe place , the browser is portable.

How can hacker attacks on a static site be carried out, and how to protect against them?

  • one
    The question is about Github, but the answer, even if given with the example of Github, is applicable to any static site on a third-party hosting. Notice, I did not remove the mention of Github from the body of the question, only from the title and tags. This is done so that all the questions on this topic can be declared copies of yours, which will be useful both to the community as a whole (do not give two dozen answers of the same type, in which only domain and hosting names are different) and to you personally (more more questions, more reputations). About the removal of "water" answered earlier. - Risto

1 answer 1

Before talking about the possibility of hacking, it is necessary to evaluate the possible profit from this:

  • Getting control of someone else’s computing power : it’s unrealistic, Github is protected even from you in this regard: it does not allow the use of custom plugins for Jekyll (the only supported engine) that can contain arbitrary Ruby code.

    Hold tight to your GitHub account:

    • Enable two-factor authentication.
    • For Git authentication, use SSH keys and assign such names to them so that you can find out which key should be denied access on occasion.

  • Getting confidential user data : do you collect it? Store? Github Pages does not provide any server-side storage. There remains the option of storing data on the client (there is nothing there now: WebSQL, IndexedDB, LocalStorage) or interception right at the input.

    In the absence of access to the client at least at the browser level (if the user has malicious extensions in the browser or holes / loopholes in the OS, you are unlikely to do something) it remains only to deceive the user to execute the attacker's JS code: this is XSS .

    The most trivial case is the output of a fragment of the URL without escaping: if there is "accidentally" (via a link sent by someone) there is a <script> with malicious code, the browser will download and execute it. There are less obvious, this is a vast topic .

  • Putting a site inoperable ...

    Lock burglary providers are probably not considered to be, although they make the site inoperative for a certain circle of users. We consider the inoperability for all (or almost all; of course, from the source, anyone can pick up a copy in themselves).

    The only vulnerability is the domain : it can theoretically be "hijacked" and sent to the attacker's car. If you use *.imtqy.com , then you rely on protecting your domain on GitHub. If you use your own, hold on tight to your account with the registrar.

  • Jekyll (единственного поддерживаемого движка) - Did you mean that about? That is, can only Ruby code without HTML in which it compiles be in the repository? Thank. - Sasha Chernykh
  • one
    @ SashaBlack, well, the source of the site, yes. Not in Ruby, the githab provides its own set of plug-ins and does not allow to change it. HTML + Liquid (templates, inserts, pages), Markdown / Textile / Asciidoc / etc., (posts / pages) styles on Sass / SCSS, CoffeeScript and any files that do not require preprocessing. - D-side
  • D-Side, yes, just wanted to get better, put it too incorrectly. Not "Ruby code", but the source of the site, which is enough in the repository for the site to work, and without the HTML that comes out when building. Unlike other site generators, using which the contents of output should be laid out in the repository. Now put it right? - Sasha Chernykh
  • @ SashaBlack right, yes. - D-side