Secure Coding mailing list archives
JavaScript Hijacking
From: brian at fortifysoftware.com (Brian Chess)
Date: Mon, 02 Apr 2007 12:13:53 -0700
Hi Stefano, Yes, we are aware of your paper, but we intentionally chose to omit the reference because we are quite snobby. I'm joking! I hadn't seen your paper previously. It was a good read. The difference between what you discuss and JavaScript Hijacking is that we do not assume the presence of another defect. JavaScript Hijacking does not require the existence of a cross-site scripting vulnerability or the like. It's a new attack technique (and a new vulnerable code pattern), not a new method for exploiting an existing class of vulnerabilities. Thanks, Brian
From: Stefano Di Paola <stefano.dipaola at wisec.it> Date: Mon, 02 Apr 2007 11:11:24 +0200 To: "sc-l at securecoding.org" <sc-l at securecoding.org> Cc: Brian Chess <brian at fortifysoftware.com> Subject: Re: [SC-L] JavaScript Hijacking Brian, i don't know if you read it but me and Giorgio Fedon presented a paper named "Subverting Ajax" at 23rd CCC Congress. (4th section XSS Prototype Hijacking) http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.p df It described a technique called Prototype Hijacking, which is about overriding methods and attributes by using contructors and prototyping. It was described how to override XMLHttprequest object, but it was stated that it could be applied to every prototype. If you didn't read it, please read it and add some reference to your paper. If you read it: - i think we deserve at least reference to our paper. - even if you covered JSON hijacking, the technique is the same and the name (Javascript Hijacking) is quite similar. Regards, Stefano
Current thread:
- JavaScript Hijacking Brian Chess (Apr 01)
- <Possible follow-ups>
- JavaScript Hijacking Stefano Di Paola (Apr 02)
- JavaScript Hijacking Brian Chess (Apr 02)
- JavaScript Hijacking Stefano Di Paola (Apr 03)
- JavaScript Hijacking Frederik De Keukelaere (Apr 05)
- Foundations of Security: What Every Programmer Needs to Know McGovern, James F (HTSC, IT) (Apr 04)
- JavaScript Hijacking Brian Chess (Apr 02)
- JavaScript Hijacking Brian Chess (Apr 19)