[SC-L] SC-L Digest, Vol 3, Issue 73

Brian Chess brian at fortifysoftware.com
Mon Apr 9 00:31:04 EDT 2007 

Hi Frederik, 
You're right that IE does not have the setter methods.  You're also right
that hijacking the Object() or Array() constructor method would be enough to
pull off the attack.  The bad (good?) news is that IE doesn't call those
methods unless an object is explicitly created with the "new" keyword.  We
got this wrong when we looked at it initially, which is why we said the code
could be ported to IE.  We're going to go back and fix that in the paper.

Of course, any JavaScript data transport format that explicitly calls a
function is vulnerable in all browsers.  Over the last week or two I've been
learning that people are moving data around using a lot more than just JSON,
though JSON is the clear front-runner.

Brian

> 
> Message: 1
> Date: Fri, 6 Apr 2007 11:32:33 +0900
> From: Frederik De Keukelaere <EB41704 at jp.ibm.com>
> Subject: Re: [SC-L] JavaScript Hijacking
> To: sc-l at securecoding.org
> Message-ID:
> <OF693160EF.CCDB584B-ON492572B5.000C872C-492572B5.000DE394 at jp.ibm.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi Brian, Hi Stefano,
> 
> <snip>
>  
>> Ok I see the difference.
>> You are taking advantage of a pure json CSRF with a evil script which
>> contains a modified version of the Object prototype.
>> And when the callback function is executed you use a XMLHttpRequest in
>> order to send the information extracted by the instantiated object.
> 
> In the beginning of the paper there was a comment that the code that was
> presented was designed for use in Firefox but could be ported to IE or
> other browsers. However, since IE does not seem to have the setter methods
> (correct me if I am wrong), I did not quite find a way to achieve this in
> IE. 
> We tried several things such as replacing Array and Object constructor as
> well as as overriding eval, neither of which worked. Do you have any
> suggestions about how to port this attack to IE?
> 
> Btw, thanks for the papers.
> 
> Kind Regards,
> 
> Fred
> 
> ---
> Frederik De Keukelaere, Ph.D.
> Post-Doc Researcher
> IBM Research, Tokyo Research Laboratory
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://krvw.com/pipermail/sc-l/attachments/20070406/b9ac46c2/attachment-0001.h
> tml 
> 
> ------------------------------
> 
> _______________________________________________
> SC-L mailing list
> SC-L at securecoding.org
> http://krvw.com/mailman/listinfo/sc-l
> 
> 
> End of SC-L Digest, Vol 3, Issue 73
> ***********************************

More information about the SC-L mailing list