Friday, September 30th, 2005

Exploiting the XmlHttpRequest object in IE

Category: Articles

Amit Klein has written up ideas on security issues to watch out for with XHR in his paper, Exploiting the XmlHttpRequest object in IE – Referrer spoofing, and a lot more…


XmlHttpRequest is a Javascript object that allows a client side Javascript code to send almost raw HTTP requests to the origin host and to access the response’s body in raw form. As such, XmlHttpRequest is a core component of AJAX.

It seems that the same origin security policy ensures that the power of XmlHttpRequest is only used in a secure manner (after all, if the Javascript code can only access the server it originated from, then what harm can be done, except for XSS conditions), but this is not so. In fact, about 2.5 years ago I noticed a problem in XmlHttpRequest’s implementation in IE – IE doesn’t validate some critical fields that are provided by the user [1]. Back at that time, the attack vector was through an XSS condition, but the basic flaw (and other, related flaws) renders itself nicely to other conditions, which we’ll see below.

The techniques discussed below allows the attacker (given the right conditions) to perform:

  • Referer spoofing (for leeching and for complete client-side
    MITM attack)
  • HTTP Request Smuggling, HTTP Response Splitting and
    Web cache poisoning
  • Accessing content / web-scanning

Posted by Dion Almaer at 9:38 am
1 Comment

3.8 rating from 68 votes

1 Comment »

Comments feed

The biggest problem facing mobile devices is that they have a cumbersome user interface and the user experience is not consistent across devices.

The technology jobber poses the question about the correct UI for the mobile devices and speculates if AJAX could be adopted to it.

Comment by Ben — October 2, 2005

Leave a comment

You must be logged in to post a comment.