2

What are some of the examples of the attacks that could be made if it were possible?

ma11hew28
  • 121,420
  • 116
  • 450
  • 651
  • possible duplicate of [Why is cross-domain Ajax a security concern?](http://stackoverflow.com/questions/466737/why-is-cross-domain-ajax-a-security-concern) – Joachim Sauer Feb 23 '11 at 14:30

2 Answers2

3

I run a website that gives away the best free pornography in town. People flock to it.

As they are browsing and viewing the spectacle of colours and moving imagery, an AJAX request works it's way through a list of domains seeing if you are logged in to any of them.

Any you are logged into, it send another ajax request to a page on my site that saves any of the data it has found. This way it could steal private information.

Or, it can post data to forms on those pages, along the lines of "send me £1000 from your bank plz k thx".

http://en.wikipedia.org/wiki/Same_origin_policy

Why the cross-domain Ajax is a security concern?

Community
  • 1
  • 1
Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
2

Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF)

XSS is injecting 3rd party code from a secondary site to alter the function of the first, usually SCRIPT tags. The trust on AJAX related code is quite high as it is, you'd have to trust that a third party site would always return the same information, and that your Javascript was capable of protecting against malformed input. It's fairly easy to demonstrate a remote Javascript library rewriting an entire page.

CSRF attacks on third party AJAX would be rife. You log on to a site, and it attempts to post information to sites, hoping you are logged in.

The biggest, and most evil thing you could do is a combination of both. Through an insecure text entry, you XSS in some Javascript, that creates KeyListener, that buffers and then sends via AJAX to a third party. Course, this is technically possible as is, and you could use it to capture logins, possibly and though I've yet to proof it... I suspect you could do this with loading of images and passing through extra key presses in the query string. The target image on the 3rd party domain is a handling script which then logs.

I suspect you would also be able to Hijack Sessions this way, as you may be able to gain Session Identifiers from the remote computer to pass back.

Of course, a coder would be able to protect against these, it is just facilitates quite a large bag of evil.

corrodedmonkee
  • 373
  • 1
  • 5