Brian Chess <[EMAIL PROTECTED]> wrote on 2007/04/09 13:31:04:
> Hi Frederik,
Hi Brian,
> You're right that IE does not have the setter methods. You're also
right
> that hijacking the Object() or Array() constructor method would be
enough to
> pull off the attack. The bad (good?) news is that IE doesn't call those
> methods unless an object is explicitly created with the "new" keyword.
We
> got this wrong when we looked at it initially, which is why we said the
code
> could be ported to IE. We're going to go back and fix that in the
paper.
Thanks for your reply. Since there is much more to JavaScript than that I
originally anticipated, I thought we missed something in our experiments.
> Of course, any JavaScript data transport format that explicitly calls a
> function is vulnerable in all browsers. Over the last week or two I've
been
> learning that people are moving data around using a lot more than just
JSON,
> though JSON is the clear front-runner.
Would you mind sharing the different data formats you came across for
exchanging data in mashups/Web 2.0? Considering the challenges you
recently discovered, it might be good to have such an overview to look at
it from a security point of view.
> Brian
Frederik
---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________