Digital Edition

SYS-CON.TV
Might "Prototype Hijacking" Subvert AJAX?
New ploy exploits sites with cross-site scripting holes

(SYS-CON Media) – Does JavaScript, which was never intended to do anything resembling what it does within the approach now called AJAX, have a fundamental design flaw? That's the question being asked by Stefano Di Paola and Giorgio Fedon. By using a new technique called "Prototype Hijacking," Di Paola and Fedon claim, it has been shown how it is possible to sniff and manipulate in real time asynchronous requests originating from any browser in a way which is transparent and independent from the framework used.

Their paper, "Subverting AJAX," was written for the 23rd Chaos Communication Conference, which took place at the Berliner Congress Center from 27-30 December, 2006. The conference has a weblog here: 23C3 Weblog.

The authors - Stefano Di Paola describes himself as a Senior Security Engineer while Fedon is currently employed as senior security consultant and penetration tester at Emaze Networks - conclude with the following thought, in somewhat broken English:

"As it seems, Web 2.0 applications will be more and more tightly tied to browser security, that is increasing in complexity and has to take care of a plethora of features that can be turned into weapons if controlled by a malicious attacker."
They describe what they call "a very interesting cache-injection technique" that permits attacks against the way asynchronous requests are made to be leveraged in a way that allows an attacker to poison almost permanently the web sites visited and stored into browser cache.

They also describe a new type of attack that bypasses even "restrictions imposed by web sites not vulnerable to XSS."

Experts however aren't  convinced. One who has checked the Opera, Safari and (Gecko-based) Camino browsers, writing on Slashdot, reports that they all "have completly separate sets of prototypes for each frame, so you can't circumvent XSS protection using prototypes."

As the Slashdot poster comments: "So it seems there's nothing to get excited about - you must have exploitable XSS vulnerability to begin with, so it's not the end of the internet just yet."

About Security News Desk
SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

The fundamental flaw is not in Javscript. It's in current implementations of Javascript.

The problem isn't the use of Ajax (or XmlHttpRequest) itself is harmful, the problem is XSS-holes are harmful!




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The explosion of new web/cloud/IoT-based applications and the data they generate are transforming ou...
CI/CD is conceptually straightforward, yet often technically intricate to implement since it require...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple ...
Enterprises are striving to become digital businesses for differentiated innovation and customer-cen...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As au...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't com...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, wi...
The now mainstream platform changes stemming from the first Internet boom brought many changes but d...
DXWorldEXPO LLC announced today that Ed Featherston has been named the "Tech Chair" of "FinTechEXPO ...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in developm...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitori...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use ...
If your cloud deployment is on AWS with predictable workloads, Reserved Instances (RIs) can provide ...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear...
We build IoT infrastructure products - when you have to integrate different devices, different syste...
Consumer-driven contracts are an essential part of a mature microservice testing portfolio enabling ...