The Blog of Chris Saylor

Search Results

    Forever Is a Long Time to Wait

    February 7, 2013 engineering Chris Saylor

    Note: This is an article restored from archive. This vulnerability hasn’t been viable for almost a decade and anyone using old enough browsers that are still vulnerable, are vulnerable to so much more than this.

    In this article, I will describe a method of attack which allows the attacker to get information from ajax-based requests by use of the browser’s script tag and how to prevent it.

    How does it work?

    With a little social engineering, an attacker can get a user with an active session to a web application to visit a malicious page. In this page, the attacker will “include” the common ajax request URL via the script tag, since it is not limited by the cross domain rules of the browser.

    Example attack

    Let’s say your ajax request /user/emails returns an array of data:

        email: "some-email"

    The attacker would include this request URL:

    <script src="/user/emails" type="text/javascript"></script>

    When the browser loads this ajax request, it’ll automatically execute the response as javascript. The attacker can override the Array object constructor to store it in a local var to be communicated to their servers:

    Array = function(data) {
      // Upload contents of data to attacker's server

    How do we prevent this?

    Since the script tag auto-executes whatever is returned from the request, simply put a while(1); as part of their ajax requests and parse this out when handling the ajax request, since same origin has complete control over the response.

    This effectively makes it impossible to exploit the request because the while loop will prevent the Array from the response from ever constructing.


    As you can see, the attack is very simple to execute, however it is also pretty simple to remedy. If you are using a framework that supports layouts, then this is simple to implement application wide.

    Some present-day examples of applications that have implemented this sort of defense are gmail and facebook. Next time you’re on those websites, open up the developer’s console in your browser of choice and examine some of the ajax responses.


    Some modern browsers have opted to make overriding javascript’s Array and Object constructors, unfortunately not everyone is using a modern browser.

    Related Posts

    Interop in PHP Should Not Be Exceptional December 22, 2020

    In many ways, PHP has come a long way to becoming a competent, typed language. With the newly minted PHP 8, strong types have eliminated a whole host …

    Managing Polylingual Side Projects July 19, 2020

    Like many engineers, I have a life-long passion for learning. I satiate this need by creating side projects that explore new concepts, languages, and …

    Ruminate More June 30, 2020

    Do you remember back to your school days of writing a paper, giving it a once over, and turning it in only to be surprised on return of bad editing …

    Deploying CSRF Protection to an Active Site December 18, 2019

    At Zumba, I implemented CSRF protection to all our state-changing user inputs. With a large and complicated site, implementing CSRF is a very tricky …