Chapter 12  ■ Attacking Other Users

defeat the anti-XSRF defenses. For example, if an application employs

anti-XSRF tokens to protect only the second step of a funds transfer

function, then an attacker can leverage a reflected XSS attack elsewhere

to defeat the defense. A script injected via this flaw can make an on-site

request for the first step of the funds transfer, retrieve the token, and

use this to request the second step. The attack is successful because the

first step of the transfer, which is not defended against XSRF, returns

the token needed to access the defended page. The reliance on only

HTTP cookies to reach the first step means that it can be leveraged to

gain access to the token defending the second step.

JSON Hijacking

JSON hijacking is a special version of an XSRF attack, which in certain circum-

stances can violate the objectives of the browser’s same origin policy. It enables

a malicious web site to retrieve and process data from a different domain,

thereby circumventing the “one-way” restriction that normally applies to

XSRF.

The possibility of JSON hijacking arises because of a quirk in the same ori-

gin policy. Recall that browsers treat JavaScript as code, not data — they allow

one web site to retrieve and execute code from a different domain. When the

cross-domain code executes, it is treated as having originated from the invok-

ing web site, and executes in that context. The reason this quirk can lead to vul-

nerabilities is that many of today’s complex web applications use JavaScript

for transmission of data, in a way that was not foreseen when the same origin

policy was devised.

JSON

JSON (JavaScript Object Notation) is a simple data transfer format that can be

used to serialize arbitrary data and can be processed directly by JavaScript

interpreters. It is commonly employed in Ajax applications as an alternative to

the XML format originally used for data transmission. In a typical situation,

when a user performs an action, client-side JavaScript uses 

XMLHttpRequest

to

communicate the action to the server. The server returns a lightweight

response containing data in JSON format. The client-side script then processes

this data and updates the user interface accordingly.

For example, an Ajax-based web mail application may contain a panel

allowing users to tab between different data. When a user clicks the Contacts

Download 5,76 Mb.

Do'stlaringiz bilan baham: