Note: This is an article restored from archive. This vulnerability hasn’t been viable for almost a decade and anyone using old enough browsers that are still vulnerable, are vulnerable to so much more than this.
In this article, I will describe a method of attack which allows the attacker to get information from ajax-based requests by use of the browser’s script tag and how to prevent it.
How does it work?
With a little social engineering, an attacker can get a user with an active session to a web application to visit a malicious page. In this page, the attacker will “include” the common ajax request URL via the script tag, since it is not limited by the cross domain rules of the browser.
Example attack
Let’s say your ajax request /user/emails
returns an array of data:
[
{
email: "some-email"
}
]
The attacker would include this request URL:
<script src="/user/emails" type="text/javascript"></script>
When the browser loads this ajax request, it’ll automatically execute the response as javascript. The attacker can override the Array object constructor to store it in a local var to be communicated to their servers:
Array = function(data) {
// Upload contents of data to attacker's server
};
How do we prevent this?
Since the script
tag auto-executes whatever is returned from the request, simply put a while(1);
as part of their ajax requests and parse this out when handling the ajax request, since same origin has complete control over the response.
This effectively makes it impossible to exploit the request because the while loop will prevent the Array from the response from ever constructing.
Conclusion
As you can see, the attack is very simple to execute, however it is also pretty simple to remedy. If you are using a framework that supports layouts, then this is simple to implement application wide.
Some present-day examples of applications that have implemented this sort of defense are gmail and facebook. Next time you’re on those websites, open up the developer’s console in your browser of choice and examine some of the ajax responses.
Notes
Some modern browsers have opted to make overriding javascript’s Array
and Object
constructors, unfortunately not everyone is using a modern browser.