Has anyone seen Joe Walker's blog post on CSRF possibilities in JavaScript 2 yet? If so; what do you think?

I read it and I really don't think it makes sense. If you can put JavaScript on a page you get CSRF for free. Why would you have to overload operators?

- RSnake
Gotta love it. http://ha.ckers.org

Because the *read* data that's fetched from a forged request, at the moment you have to have it returned as JSON or valid javascript. If you can force the interpreter to see HTML / XML as valid JS, you can read anything.

Link? I'd like enlightenment in this area of focus.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

The enlightening link:

http://getahead.org/blog/joe/2007/03/22/operator_overloading_in_javascript_2_and_a_potential_monster_csrf_hole.html

I haven't read the details yet but if it would be possible to map any included resources into a variable it would be a security nightmare.



Edited 1 time(s). Last edit at 03/22/2007 05:19PM by .mario.

That actually does make sense. If you use it to un-XMLify a document so that it is readable in JS space, that could be useful in a few different scenarios where certain strings cause exploits to fail if they are loaded in as XML. Hmmm

- RSnake
Gotta love it. http://ha.ckers.org