Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Unsecure AJAX data processing in client-side
Posted by: pento
Date: February 26, 2010 01:53PM

There is a HTML form with AJAX submit. When data returns from server as JSON (including submitted data) it rendered in some div in page in unsecure way (yep, foo.innerHTML=bla-bla..).
So if you navigate to this page and fill form with something like <script>alert(document.cookie)</script> then after submit you will see JavaScript alert with cookie data.
Main problem is you can't use this vulnerability by creating custom form with autosubmit (for POST) or by creating some links like <img src="http://vuln-site.com/foo.php?a=<script>...">.
So how can I exploit such vulnerability?

Options: ReplyQuote
Re: Unsecure AJAX data processing in client-side
Posted by: thornmaker
Date: February 26, 2010 01:59PM

What is the content type of the returned JSON?

Options: ReplyQuote
Re: Unsecure AJAX data processing in client-side
Posted by: pento
Date: February 26, 2010 02:42PM

Unfortunately: application/x-javascript

Options: ReplyQuote
Re: Unsecure AJAX data processing in client-side
Posted by: sirdarckcat
Date: February 26, 2010 10:39PM

how does the URL end? on IE you may be able to trigger content sniffing and make it asume is HTML

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 1 time(s). Last edit at 02/26/2010 10:41PM by sirdarckcat.

Options: ReplyQuote
Re: Unsecure AJAX data processing in client-side
Posted by: pento
Date: February 28, 2010 03:21PM

Action URL does not have any extention.
So at the final ..there is only one probable scenario - some social engineering to make victim to fill this form field with custom text and submit it.

Options: ReplyQuote


Sorry, only registered users may post in this forum.