Google Groups Home
Help | Sign in
jQuery (English)
Home
+ new post
About this group
Join this group
Message from discussion Web 2.0 is vulnerable to attack
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Markus Peter  
View profile
  More options Apr 3 2007, 6:56 am
From: Markus Peter <w...@spin.de>
Date: Tue, 3 Apr 2007 12:56:09 +0200
Local: Tues, Apr 3 2007 6:56 am
Subject: Re: [jQuery] Re: Web 2.0 is vulnerable to attack
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
On 03.04.2007, at 08:07, Karl Rudd wrote:

> Bah, it's not a new vulnerability, it's always been there and always
> been known about.

> I call FUD on this.

> The following is an excerpt that is the keystone of the whole thing:

> "In an example attack, a victim who has already authenticated
> themselves to an Ajax application, and has the login cookie in their
> browser, is persuaded to visit the attacker's web site. This web site
> contains JavaScript code that makes calls to the Ajax app. Data
> received from the app is sent to the attacker."

> Firstly _don't visit suspect sites_.

> Secondly their "example attack" is flawed. As far as I'm aware
> JavaScript code on one page does not have access to the cookies of
> other webpages. If it does it's a security flaw in the browser,
> nothing a JavaScript library can do about it.

I would not call this only FUD - the newspaper article is bad and  
FUD, especially the conclusion that the libraries are "vulnerable"  
where in reality the developers using them were probably clueless,  
but the original paper it refers to has a point. It maybe helps if  
you read the original paper at http://www.fortifysoftware.com/servlet/
downloads/public/JavaScript_Hijacking.pdf

You're right in so far as it's an old hat - nevertheless most people  
don't think of these kind of attacks even though Google already fell  
prey to it several times.

Unfortunately, many people seem to misunderstand the way, the attack  
works:
Cookies are not accessed by "other webpages" by this attack. Instead,  
the attack relies on the fact, that browsers will always  
automatically send cookies to the original domain. It's just plain  
old cookie-based XSS applied to JSON data.

What happens is, that if you e.g. have a JSON-outputting URL on your  
page like /api/ultrasecretdata which is secured by cookies and  
another page simply does

<script src="http://yourdomain/api/ultrasecretdata"></script>

then the browser will load the page and execute it as JavaScript. As  
the request goes to your server, your cookie will rightfully be sent  
with it and the request is authenticated, so the server will output  
the data.

Now, it's of course "only data" but what most people forget is, that  
JSON data is executable JavaScript Code: Arrays and Objects are  
constructed, and therefore, their constructors are called. If you  
override the constructor before the script tag, you'll receive the  
data in your own code.

Of course, you could still say, that browsers should not allow  
scripts of different pages interact that way - but they do work that  
way at the moment and it will likely never be changed as too many  
things nowadays rely on the fact that scripts from different servers  
can interact with each-other if they're loaded on the same page - so  
you _have_ to fix it in your application.

There are basically two ways to fix it:
1. Include a secret into the URL. Our own application for example  
always includes the Session ID of an authenticated user as a request  
parameter to the API calls, because then the URL is not guessable  
anymore and it's not possible to include the data on other pages
2. Include some breaker code in the output of your APIs before the  
actual data like e.g. /* */ comments and then remove that data before  
evaling your JSON code.

The second fix is rather easily applied to legacy code, but it's  
plain UGLY and it somehow destroys the reason for using a standard  
format like JSON.

What these guys obviously mean, when they say that frameworks are  
"vulnerable" is, that no frameworks support the developer with that  
task (solution 2) by offering automatic support to throw away the  
execution breakers. I'm actually glad about that - JSON should stay  
JSON and data exchange formats should stay standardized - otherwise  
we're thrown back straight into the 90ies with proprietary APIs.

Now, solution 1 is easily done with jQuery and probably all the other  
libraries mentioned - simply include your secret, most probably the  
session id, as a parameter with every request to APIs which should be  
secured. My suggestion would be to actually extend the jQuery AJAX  
documentation (or include a link to some tutorial in the Wiki or so)  
to point out the issue, if you use JSON only secured by cookies.  
That's the most sensible change to do - I do not think this issue  
justifies any changes to the jQuery code itself as it's only an issue  
of most application developers not thinking about a certain type of  
attack.

--
Markus Peter - w...@spin.de                      http://www.spin-ag.de/
SPiN AG, Bischof-von-Henle-Str. 2b, 93051 Regensburg, HRB 6295  
Regensburg
Aufsichtsratsvors.: Dr. Christian Kirnberger
Vorstände: Fabian Rott, Paul Schmid


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google