Re: [SC-L] SC-L Digest, Vol 3, Issue 73
Brian Chess [EMAIL PROTECTED] wrote on 2007/04/09 13:31:04: Hi Frederik, Hi Brian, You're right that IE does not have the setter methods. You're also right that hijacking the Object() or Array() constructor method would be enough to pull off the attack. The bad (good?) news is that IE doesn't call those methods unless an object is explicitly created with the new keyword. We got this wrong when we looked at it initially, which is why we said the code could be ported to IE. We're going to go back and fix that in the paper. Thanks for your reply. Since there is much more to JavaScript than that I originally anticipated, I thought we missed something in our experiments. Of course, any JavaScript data transport format that explicitly calls a function is vulnerable in all browsers. Over the last week or two I've been learning that people are moving data around using a lot more than just JSON, though JSON is the clear front-runner. Would you mind sharing the different data formats you came across for exchanging data in mashups/Web 2.0? Considering the challenges you recently discovered, it might be good to have such an overview to look at it from a security point of view. Brian Frederik --- Frederik De Keukelaere, Ph.D. Post-Doc Researcher IBM Research, Tokyo Research Laboratory___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] SC-L Digest, Vol 3, Issue 73
Hi Frederik, You're right that IE does not have the setter methods. You're also right that hijacking the Object() or Array() constructor method would be enough to pull off the attack. The bad (good?) news is that IE doesn't call those methods unless an object is explicitly created with the new keyword. We got this wrong when we looked at it initially, which is why we said the code could be ported to IE. We're going to go back and fix that in the paper. Of course, any JavaScript data transport format that explicitly calls a function is vulnerable in all browsers. Over the last week or two I've been learning that people are moving data around using a lot more than just JSON, though JSON is the clear front-runner. Brian Message: 1 Date: Fri, 6 Apr 2007 11:32:33 +0900 From: Frederik De Keukelaere [EMAIL PROTECTED] Subject: Re: [SC-L] JavaScript Hijacking To: sc-l@securecoding.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi Brian, Hi Stefano, snip Ok I see the difference. You are taking advantage of a pure json CSRF with a evil script which contains a modified version of the Object prototype. And when the callback function is executed you use a XMLHttpRequest in order to send the information extracted by the instantiated object. In the beginning of the paper there was a comment that the code that was presented was designed for use in Firefox but could be ported to IE or other browsers. However, since IE does not seem to have the setter methods (correct me if I am wrong), I did not quite find a way to achieve this in IE. We tried several things such as replacing Array and Object constructor as well as as overriding eval, neither of which worked. Do you have any suggestions about how to port this attack to IE? Btw, thanks for the papers. Kind Regards, Fred --- Frederik De Keukelaere, Ph.D. Post-Doc Researcher IBM Research, Tokyo Research Laboratory -- next part -- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070406/b9ac46c2/attachment-0001.h tml -- ___ SC-L mailing list SC-L@securecoding.org http://krvw.com/mailman/listinfo/sc-l End of SC-L Digest, Vol 3, Issue 73 *** ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Stakes are High for Vista Security
shameless-self-plug I hope that some of you will find my April column over on eSecurityPlanet interesting. It can be found (for free) at the link below. If not, just press the old delete key. http://www.esecurityplanet.com/article.php/11162_3670486_2 /shameless-self-plug Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Stakes are High for Vista Security
On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote: http://www.esecurityplanet.com/article.php/11162_3670486_2 Sorry folks -- I inadvertently posted the URL to page 2 of the column. Page 1 is at http://www.esecurityplanet.com/article.php/3670486 Sorry for the inconvenience (and the list clutter). Mea culpa++ Cheers, Ken van Wyk smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___