Secure Coding mailing list archives
SC-L Digest, Vol 3, Issue 73
From: EB41704 at jp.ibm.com (Frederik De Keukelaere)
Date: Mon, 9 Apr 2007 13:45:39 +0900
Brian Chess <brian at fortifysoftware.com> wrote on 2007/04/09 13:31:04:
Hi Frederik,
Hi Brian,
You're right that IE does not have the setter methods. You're also
right
that hijacking the Object() or Array() constructor method would be
enough to
pull off the attack. The bad (good?) news is that IE doesn't call those methods unless an object is explicitly created with the "new" keyword.
We
got this wrong when we looked at it initially, which is why we said the
code
could be ported to IE. We're going to go back and fix that in the
paper. Thanks for your reply. Since there is much more to JavaScript than that I originally anticipated, I thought we missed something in our experiments.
Of course, any JavaScript data transport format that explicitly calls a function is vulnerable in all browsers. Over the last week or two I've
been
learning that people are moving data around using a lot more than just
JSON,
though JSON is the clear front-runner.
Would you mind sharing the different data formats you came across for exchanging data in mashups/Web 2.0? Considering the challenges you recently discovered, it might be good to have such an overview to look at it from a security point of view.
Brian
Frederik --- Frederik De Keukelaere, Ph.D. Post-Doc Researcher IBM Research, Tokyo Research Laboratory -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070409/a94d1b5a/attachment.html
Current thread:
- SC-L Digest, Vol 3, Issue 73 Brian Chess (Apr 08)
- SC-L Digest, Vol 3, Issue 73 Frederik De Keukelaere (Apr 08)