JavaScript Hijacking
Web browsers enforce the Same Origin Policy to protect users from malicious Web sites. The Same Origin Policy requires that for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious Web site could serve up JavaScript that loads sensitive information from other Web sites using a client's credentials, culls through it, and communicates it back to the attacker.

JavaScript Hijacking allows an attacker to bypass the Same Origin Policy in the case where a Web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any Web site to be included and executed in the context of any other Web site. Even though a malicious site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport mechanism, they are often vulnerable, while traditional Web applications are not.

The most popular format for communicating information in JavaScript is JavaScript Object Notation (JSON). The JSON RFC defines JSON syntax to be a subset of JavaScript object literal syntax. JSON is based on two types of data structures: arrays and objects. Any data transport format where messages can be interpreted as one or more valid JavaScript statements is vulnerable to JavaScript Hijacking. JSON makes JavaScript Hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to JavaScript Hijacking. A JSON object is only vulnerable if it is wrapped in some other JavaScript construct that stands on its own as a valid JavaScript statement.

The following example begins by showing a legitimate JSON interaction between the client and server components of a Web application that is used to manage sales leads. It goes on to show how an attacker can mimic the client and gain access to the confidential data the server returns. Note that this example, along with the rest of the examples in the article, is written for Mozilla-based browsers. Other mainstream browsers do not allow native constructors to be overridden when an object is created without the use of the new operator.

The client requests data from a server and evaluates the result as JSON with the following code:

var object;|
var req = new XMLHttpRequest();
req.open("GET", "/object.json",true);
req.onreadystatechange = function () {
if (req.readyState == 4) {
var txt = req.responseText;
object = eval("(" + txt + ")");
req = null;
}
};
req.send(null);

When the code runs, it generates an HTTP request that looks like this:

GET /object.json HTTP/1.1
...
Host: www.example.com
Cookie: JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J5SQZTr4a5YJaSbAiTnRR

(In this HTTP response and the one that follows we have elided HTTP headers that are not directly relevant to this explanation.)

The server responds with an array in JSON format:

HTTP/1.1 200 OK
Cache-control: private
Content-Type: text/javascript; charset=utf-8
...
[{"fname":"Brian", "lname":"Chess", "phone":"6502135600",
"purchases":60000.00, "email":"brian@fortify.com" },
{"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600",
"purchases":120000.00, "email":"katrina@fortify.com" },
{"fname":"Jacob", "lname":"West", "phone":"6502135600",
"purchases":45000.00, "email":"jacob@fortify.com" }]

In this case, the JSON contains confidential information associated with the current user (a list of sales leads). Other users cannot access this information without knowing the user's session identifier. (In most modern Web applications, the session identifier is stored as a cookie.) However, if a victim visits a malicious Web site, the malicious site can retrieve the information using JavaScript Hijacking.

If a victim can be tricked into visiting a Web page that contains the following malicious code, the victim's lead information will be sent to the attacker's Web site (see Listing 1).

The malicious code uses a script tag to include the JSON object in the current page. The Web browser will send up the appropriate session cookie with the request. In other words, this request will be handled as though it had originated from the legitimate application.

When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. To witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the creation of each object and transmit the object's contents back to the malicious site. Other attacks might override the default constructor for arrays instead (Grossman's Gmail exploit took this approach).

Applications that are built to be used in a mashup sometimes invoke a callback function at the end of each JavaScript message. The callback function is meant to be defined by another application in the mashup. A callback function makes a JavaScript Hijacking attack a trivial affair - all the attacker has to do is define the function. An application can be mashup-friendly or it can be secure, but it cannot be both.

If the user is not logged into the vulnerable site, the attacker can compensate by asking the user to log in and then displaying the legitimate login page for the application. This is not a phishing attack - the attacker does not gain access to the user's credentials - so anti-phishing countermeasures won't be able to defeat the attack.

More complex attacks could make a series of requests to the application by using JavaScript to dynamically generate script tags. This same technique is sometimes used to create application mashups. The only difference is that, in this mashup scenario, one of the applications involved is malicious.

Defending Against JavaScript Hijacking
First-generation Web applications are not vulnerable to JavaScript Hijacking, because they typically transmit data as part of HTML documents, not as pure JavaScript. Applications that have no secrets to keep from attackers are also trivially safe from JavaScript Hijacking attacks.

If a Web application contains an exploitable cross-site scripting vulnerability, it cannot defeat data stealing attacks such as JavaScript Hijacking, because cross-site scripting allows an attacker to run JavaScript as though it originated from the application's domain. The contra-positive does not hold - if a Web application does not contain any cross-site scripting vulnerabilities, it is not necessarily safe from JavaScript Hijacking.

For Web 2.0 applications that handle confidential data, there are two fundamental ways to defend against JavaScript Hijacking:

1. Decline malicious requests
2. Prevent direct execution of the JavaScript response

The best way to defend against JavaScript Hijacking is to adopt both defensive tactics.