saylornotes

The Blog of Chris Saylor

Search Results

    Forever Is a Long Time to Wait

    February 7, 2013 engineering Chris Saylor

    Note: This is an article restored from archive. This vulnerability hasn’t been viable for almost a decade and anyone using old enough browsers that are still vulnerable, are vulnerable to so much more than this.

    In this article, I will describe a method of attack which allows the attacker to get information from ajax-based requests by use of the browser’s script tag and how to prevent it.

    How does it work?

    With a little social engineering, an attacker can get a user with an active session to a web application to visit a malicious page. In this page, the attacker will “include” the common ajax request URL via the script tag, since it is not limited by the cross domain rules of the browser.

    Example attack

    Let’s say your ajax request /user/emails returns an array of data:

    [
      {
        email: "some-email"
      }
    ]
    

    The attacker would include this request URL:

    <script src="/user/emails" type="text/javascript"></script>
    

    When the browser loads this ajax request, it’ll automatically execute the response as javascript. The attacker can override the Array object constructor to store it in a local var to be communicated to their servers:

    Array = function(data) {
      // Upload contents of data to attacker's server
    };
    

    How do we prevent this?

    Since the script tag auto-executes whatever is returned from the request, simply put a while(1); as part of their ajax requests and parse this out when handling the ajax request, since same origin has complete control over the response.

    This effectively makes it impossible to exploit the request because the while loop will prevent the Array from the response from ever constructing.

    Conclusion

    As you can see, the attack is very simple to execute, however it is also pretty simple to remedy. If you are using a framework that supports layouts, then this is simple to implement application wide.

    Some present-day examples of applications that have implemented this sort of defense are gmail and facebook. Next time you’re on those websites, open up the developer’s console in your browser of choice and examine some of the ajax responses.

    Notes

    Some modern browsers have opted to make overriding javascript’s Array and Object constructors, unfortunately not everyone is using a modern browser.

    Related Posts

    Ruminate More June 30, 2020

    Do you remember back to your school days of writing a paper, giving it a once over, and turning it in only to be surprised on return of bad editing …

    Deploying CSRF Protection to an Active Site December 18, 2019

    At Zumba, I implemented CSRF protection to all our state-changing user inputs. With a large and complicated site, implementing CSRF is a very tricky …

    Meta: How this blog is built and deployed April 11, 2019

    It is an unspoken rule that if you utilize something other than Wordpress for a blog that you must include an article on how it is built. This is that …

    Building a Chess bot for Slack August 23, 2018

    With Atlassian’s announcement suspending development of Stride and dropping support for Hipchat in favor of Slack, I decided that the time was right …