SC-L Digest, Vol 3, Issue 73

[EB41704 at jp.ibm.com (Frederik De Keukelaere)]

Brian Chess <brian at fortifysoftware.com> wrote on 2007/04/09 13:31:04:

> Hi Frederik, 

Hi Brian,

> You're right that IE does not have the setter methods.  You're also 
right
> that hijacking the Object() or Array() constructor method would be 
enough to
> pull off the attack.  The bad (good?) news is that IE doesn't call those
> methods unless an object is explicitly created with the "new" keyword. 
We
> got this wrong when we looked at it initially, which is why we said the 
code
> could be ported to IE.  We're going to go back and fix that in the 
paper.

Thanks for your reply. Since there is much more to JavaScript than that I 
originally anticipated, I thought we missed something in our experiments.
 
> Of course, any JavaScript data transport format that explicitly calls a
> function is vulnerable in all browsers.  Over the last week or two I've 
been
> learning that people are moving data around using a lot more than just 
JSON,
> though JSON is the clear front-runner.

Would you mind sharing the different data formats you came across for 
exchanging data in mashups/Web 2.0? Considering the challenges you 
recently discovered, it might be good to have such an overview to look at 
it from a security point of view.
 
> Brian

Frederik

---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070409/a94d1b5a/attachment.html