Forever Is a Long Time to Wait

Preventing ajax requests to your servers from other domains.

By: Chris Saylor | February 7, 2013 • 2 minute read

Note: This is an article restored from archive. This vulnerability hasn’t been viable for almost a decade and anyone using old enough browsers that are still vulnerable, are vulnerable to so much more than this.

In this article, I will describe a method of attack which allows the attacker to get information from ajax-based requests by use of the browser’s script tag and how to prevent it.

How does it work?

With a little social engineering, an attacker can get a user with an active session to a web application to visit a malicious page. In this page, the attacker will “include” the common ajax request URL via the script tag, since it is not limited by the cross domain rules of the browser.

Example attack

Let’s say your ajax request /user/emails returns an array of data:

[
  {
    email: "some-email"
  }
]

The attacker would include this request URL:

<script src="/user/emails" type="text/javascript"></script>

When the browser loads this ajax request, it’ll automatically execute the response as javascript. The attacker can override the Array object constructor to store it in a local var to be communicated to their servers:

Array = function(data) {
  // Upload contents of data to attacker's server
};

How do we prevent this?

Since the script tag auto-executes whatever is returned from the request, simply put a while(1); as part of their ajax requests and parse this out when handling the ajax request, since same origin has complete control over the response.

This effectively makes it impossible to exploit the request because the while loop will prevent the Array from the response from ever constructing.

Conclusion

As you can see, the attack is very simple to execute, however it is also pretty simple to remedy. If you are using a framework that supports layouts, then this is simple to implement application wide.

Some present-day examples of applications that have implemented this sort of defense are gmail and facebook. Next time you’re on those websites, open up the developer’s console in your browser of choice and examine some of the ajax responses.

Notes

Some modern browsers have opted to make overriding javascript’s Array and Object constructors, unfortunately not everyone is using a modern browser.

Related Content

Interop in PHP Should Not Be Exceptional

Swapping out interchangeable pieces could be easier.

Managing Polylingual Side Projects

Using docker to simplify deploying side projects.

Ruminate More

Sometimes taking a break can do wonders.

Deploying CSRF Protection to an Active Site

The phrase "operating on an engine while its running" comes to mind.