Skip to content Skip to sidebar Skip to footer
Home / Javascript / Json / Security / Xmlhttprequest / Xss

Is It Possible To Perform A Cross Site Site Request Forgery Attack On A Url That Returns A Json Object?

Post a Comment
I'm aware that there is a Cross site forgery attack that can be performed on a request that returns an array by overloading the Array constructor. For example, suppose I have a sit

Solution 1:

The sources I've seen, such as Haacked and Hackademix, specifically indicate that root objects are safe (presumably in all major browsers). This is because a script can not start with an object literal. By default, ASP.NET wraps both objects and arrays with a d prefix, but I think this is just to simplify the client library.

Solution 2:

It looks like from the Ecmascript spec, the JSON object shouldn't be treated as a valid Javascript program:

"Note that an ExpressionStatement cannot start with an opening curly brace because that might make it ambiguous with a Block.

So assuming that all browser implement this correctly, a response like { name: 'Puff the Dragon', cc: 'Credit Card #' } won't be executed as valid Javascript. However expressions like ({name: 'Puff the Dragon', cc: 'Credit Card #' }) and {['Puff the Dragon', 'Credit Card #']} will.

Solution 3:

You could use the same technique for Object. It wouldn't affect the prototype chain, so it wouldn't be inherited by all objects. But you could, for example, log all new objects getting created with this:

functionObject() {
    var obj = this;
    if (window.objectarray === undefined) {
        window.objectarray = [];
    }
    window.objectarray.push(this);
    returnthis;
}

Any time code on your page uses new Object(), it would get written to window.objectarray -- even if it were created in a private scope. So, for example, look at this code:

varAccount = function() {
    var createToken = function() {
        var objToken = newObject();
        objToken.timestamp = newDate().getTime();
        objToken.securestring = "abc123";
        return objToken.timestamp + objToken.securestring;
    }
    var objPrivate = newObject();
    objPrivate.bankaccount="123-456789";
    objPrivate.token = createToken();
};
var myAccount = newAccount();

In this case, if you create a new account with new Account(), a token will be created using private properties (and maybe methods) and nothing about myAccount is left hanging outside in public. But both 'objectToken' and objPrivate will be logged to window.objectarray.

Post a Comment for "Is It Possible To Perform A Cross Site Site Request Forgery Attack On A Url That Returns A Json Object?"