Has anyone seen Joe Walker's blog post on CSRF possibilities in JavaScript 2 yet? If so; what do you think?

I read it and I really don't think it makes sense. If you can put JavaScript on a page you get CSRF for free. Why would you have to overload operators?

- RSnake
Gotta love it. http://ha.ckers.org

Because the *read* data that's fetched from a forged request, at the moment you have to have it returned as JSON or valid javascript. If you can force the interpreter to see HTML / XML as valid JS, you can read anything.

Link? I'd like enlightenment in this area of focus.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
[www.awesomeandrew.net]

The enlightening link:

[getahead.org]

I haven't read the details yet but if it would be possible to map any included resources into a variable it would be a security nightmare.

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>



Edited 1 time(s). Last edit at 03/22/2007 05:19PM by .mario.

That actually does make sense. If you use it to un-XMLify a document so that it is readable in JS space, that could be useful in a few different scenarios where certain strings cause exploits to fail if they are loaded in as XML. Hmmm

- RSnake
Gotta love it. http://ha.ckers.org