Loading ...
Sorry, an error occurred while loading the content.

Interesting AJAX Attack

Expand Messages
  • Hasin Hayder
    Jeremiah Grossman recently wrote up a very interesting attack (now fixed) on
    Message 1 of 1 , Jan 31, 2006
    • 0 Attachment

      Jeremiah Grossman recently wrote up a very interesting attack (now fixed) on Gmail, which is worth looking at. The problem was that the Gmail client-side interface got your contact list by doing an XMLHttpRequest to a known URL which was the same for all accounts. The permission checks were, presumably, based entirely on your login cookies. The data arrived in the form of a JavaScript array which the client side then eval()ed. So the attack went like this:

      1. Send the victim's Gmail account an email with a link you can persuade them to click on, to a page under your control
      2. On that page, have a <script src="..."> tag accessing the well-known URL for getting the address book
      3. Gmail happily sends back the data, as the person is logged into Gmail and so the request has the correct cookies
      4. Override the anonymous Array() constructor with a function of your choice
      5. When the data arrives, the JS engine calls the anonymous Array constructor (even though it plans to throw away the result, as it's not assigned to a variable), and therefore calls your function on the address book data, giving you access to it.

      Morals:

      • Ajax has new security risks associated with it
      • Don't put sensitive data in pure JavaScript files with guessable URLs

      Hmm. Would it break much of the web if we failed to send cookies on <script> src requests which were cross-domain?

    Your message has been successfully submitted and would be delivered to recipients shortly.