[nycphp-talk] NYPHP cringed at AJAX almost a year ago.... now JS exploit "level 3"
csnyder
chsnyder at gmail.com
Fri Oct 14 09:52:21 EDT 2005
On 10/13/05, inforequest <1j0lkq002 at sneakemail.com> wrote:
> Since then we have AJAX everywhere. And now we have a hack that's being
> called a new "level 3" exploit. See http://e-scribe.com/news/103 and
> http://namb.la/popular/tech.html
>
Hmm, you can chase the buzzword and call this an AJAX hack, but it is
really plain old cross-site scripting vulnerability. MySpace wasn't
properly sanitizing user-submitted markup, and these guys were able to
sneak some JavaScript in.
It's a pretty great hack nonetheless. They used XMLHTTPRequest to make
requests in the background that a user would never notice, which is
what makes it AJAXy.
Two lessons learned:
1) If you allow markup, use a serious sanitizer ... something like
http://chxo.com/scripts/safe_html/ or one of the others discussed
previously on this list
2) Take steps to prevent forged form submissions ... for an excellent
tutorial, see http://shiflett.org/articles/security-corner-dec2004.
But further to number 2, if you don't have protection against
JavaScript there isn't much you can do to secure your forms. Even the
random token method that Chris describes can be foiled if the attacker
is scripting XMLHTTPRequests, because the script can request and then
POST a valid form, without the user ever knowing it.
Neato.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list