1

Ok, so I'm developing a web app that has begun to be more ajaxified. I then read a blog that talked about javascript hijacking, and I'm a little confused about when it's actually a problem. I want some clarification

Question 1: Is this the problem/vulnerability?

If my site returns json data with a 'GET' request that has sensitive information then that information can get into the wrong hands.

I use ASP.NET MVC and the method that returns JSON requires you to explicitly allow json get requests. I'm guessing that they are trying to save the uninitiated from this security vulnerability.

Question 2: Does the hijacking occur by sniffing/reading the response as it's being sent through the internet? Does SSL mitigate that attack?

Question 3: This led me to ask this question to myself. If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?

Question 4: Can I safely mitigate against THIS vulnerability by only returning JSON with a 'POST' request?

Jose
  • 10,891
  • 19
  • 67
  • 89
  • 1
    The terms you need to search for are "Cross Site Scripting" (XSS) and "Cross Site Request Forgery" (CSRF). It's not *one* vulnerability, they're two separate **classes** of vulnerability. – zzzzBov Jul 21 '11 at 13:49
  • @zzzzBov the particular vulnerability is abusing JS engines, not XSS or CRSF – Raynos Jul 21 '11 at 13:53

3 Answers3

1

The post you linked to is talking about CSRF & XSS (see my comment on the question), so in that context:

Is this the problem/vulnerabiliy ("If my site returns json data with a 'GET' request that has sensitive information then that information can get into the wrong hands.")?

No.

Does the hijacking occur by sniffing/reading the response as it's being sent through the internet?

No.

If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?

It depends. It depends on whether you're storing the data in cookies and haven't set the right domain, or path. It depends on whether there's a security vulnerability on the client browser that would allow a script to gain access to data that typically is restricted. There are numerous other vectors of attack, and new ones are discovered all the time. The long and the short of it is: don't trust the browser with any confidential or secure data.

Can I safely mitigate against THIS vulnerability by only returning JSON with a 'POST' request?

No (it's not a single vulnerability, it's a set of classes of vulnerabilities).

zzzzBov
  • 174,988
  • 54
  • 320
  • 367
  • The link is talking about the [`window.Array` hack](http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html). – Raynos Jul 21 '11 at 14:39
  • 1
    @Raynos, the `window.Array` hack you're speaking of is a CSRF attack. That was only one of a number of various articles linked in the blog post. – zzzzBov Jul 21 '11 at 14:47
0

Well you can check if there was a get and if the get was from a correct referrer.

You are not really much safer getting it from a POST because that is just as easy to simulate.

In general there are a lot of things you can do to prevent cross site forgery and manipulation.

Naftali
  • 144,921
  • 39
  • 244
  • 303
  • How do you verify a `correct` referrer? Won't limiting to a 'post' save from a user who goes to a malicious site save from that site getting the data? I know a person can issue a post, but can a site a user is on do that without the user knowing it? – Jose Jul 21 '11 at 13:55
0

The actually vulnerability is being able to overwrite Array.

If one overwrites the native Array then one get's access to the JSON data that's constructed as an Array.

This vulnerability has been patched in all major browsers.

You should only worry about this if your clients are using insecure browsers.

Example:

window.Array = function() {
  console.log(arguments);
  // send to secret server
}

...

$.get(url, function(data) { ... });

When the data is constructed if there are any arrays in the returned JSON the browser will call window.Array and then that data in that array gets send to the secret server.

Raynos
  • 166,823
  • 56
  • 351
  • 396