JavaScript Hijacking

[brian at fortifysoftware.com (Brian Chess)]

Hi Stefano,

Yes, we are aware of your paper, but we intentionally chose to omit the
reference because we are quite snobby.  I'm joking!  I hadn't seen your
paper previously.  It was a good read.

The difference between what you discuss and JavaScript Hijacking is that we
do not assume the presence of another defect.  JavaScript Hijacking does not
require the existence of a cross-site scripting vulnerability or the like.
It's a new attack technique (and a new vulnerable code pattern), not a new
method for exploiting an existing class of vulnerabilities.

Thanks,
Brian

> From: Stefano Di Paola <stefano.dipaola at wisec.it>
> Date: Mon, 02 Apr 2007 11:11:24 +0200
> To: "sc-l at securecoding.org" <sc-l at securecoding.org>
> Cc: Brian Chess <brian at fortifysoftware.com>
> Subject: Re: [SC-L] JavaScript Hijacking
>
> Brian,
>
> i don't know if you read it but me and Giorgio Fedon presented a paper
> named "Subverting Ajax" at 23rd CCC Congress.
> (4th section XSS Prototype Hijacking)
> http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.p
> df
>
> It described a technique called Prototype Hijacking, which is about
> overriding methods and attributes by using contructors and prototyping.
> It was described how to override XMLHttprequest object, but it was
> stated that it could be applied to every prototype.
>
> If you didn't read it, please read it and add some reference to your
> paper.
> If you read it:
> - i think we deserve at least reference to our paper.
> - even if you covered JSON hijacking, the technique is the same and the
> name (Javascript Hijacking) is quite similar.
>
> Regards,
>
> Stefano