Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Stealing non-callback JSON; close, but no dice
Date: February 10, 2008 12:29PM

A while ago, Jeremiah Grossman published an exploit which used the <script> tag to grab private data from Gmail and overloaded the Array constructor.

Well, a similar situation exists for JSON, except that we're using literal objects {} and not arrays. A quick test:

<script type="text/javascript">
function Object() {
  alert('Called!');
}
alert('Explicit:');
var foo1 = new Object();
alert('Literal:');
var foo2 = {foo: 'bar'};
</script>

Indicates that the literal notation only calls the object constructor in Firefox (I tested IE7 and Opera too, but they only called the constructor when I explicitly used new Object()).

Ok, so it looks like we might be able to steal the info, but as it turns out, Firefox doesn't parse JSON like this:

<code>
{
foo: 'bar',
foo2: 'bar2'
}
</code>

Because it thinks that the brace is opening a code block. Curiously enough, however, Internet Explorer does parse it! So things seem safe... for now.

I apologize if this has been mentioned before.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Posted by: Anonymous User
Date: February 10, 2008 04:06PM

Hi!

You could of course cheat a little bit with the assumption that the user has Firebug installed - but I think that's not what you are looking for :)

function Object() {
    alert(escape(__scope__.expr.toSource()))
}
var foo2 = {foo: 'bar'};

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Date: February 10, 2008 09:11PM

Two things:

1. The code doesn't seem to work (I have Firebug installed and running, but it warns me that __scope__ isn't defined)

2. Firefox still doesn't parse the braces as a literal object when we don't do the assignment.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Posted by: Anonymous User
Date: February 11, 2008 03:07AM

You're using FF3? I read on several mailinglists that there's a bug (feature?) with the __scope__ property.

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Date: February 11, 2008 10:27AM

Nope, FF 2.0.0.12. Do you mean that __scope__ only exists in FF3? (Would test with a trunk build, but doesn't have said environment available right now.)

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Posted by: Anonymous User
Date: February 11, 2008 12:14PM

Nope - rather the other way round. I tested the above mentioned code on FF2.0.0.12 on Ubuntu. But I read in some lists that those wouldn't work anymore in FF3 - as said, maybe a bug/feature.

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Date: February 11, 2008 02:19PM

Oh, I know why: the code as it stands runs before Firebug has a chance to define all of its variables. Indeed, that does work. :-) Doesn't help this exploit out, but it does work.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Posted by: kuza55
Date: February 14, 2008 08:31PM

Just a note: We can't overload the constructors for global objects such as Array & object in Firefox 3, or at least we're not meant to be, they've decided to take a proactive approach here and stop this being exploitable, however I haven't played with it so i don't know anything about it...

Does anyone know if any JSON objects have embedded function calls? Since we can still over-write those...

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Stealing non-callback JSON; close, but no dice
Posted by: Anonymous User
Date: February 15, 2008 02:58AM

b={a:1}
b.eval('alert(1)')

There are of course the usual endsWith() and trim() but i dunno if this is exploitable.

Options: ReplyQuote


Sorry, only registered users may post in this forum.