Friday, September 30th, 2005

Exploiting the XmlHttpRequest object in IE

Category: Articles

<p>Amit Klein has written up ideas on security issues to watch out for with XHR in his paper, Exploiting the XmlHttpRequest object in IE – Referrer spoofing, and a lot more…

Introduction

XmlHttpRequest is a Javascript object that allows a client side Javascript code to send almost raw HTTP requests to the origin host and to access the response’s body in raw form. As such, XmlHttpRequest is a core component of AJAX.

It seems that the same origin security policy ensures that the power of XmlHttpRequest is only used in a secure manner (after all, if the Javascript code can only access the server it originated from, then what harm can be done, except for XSS conditions), but this is not so. In fact, about 2.5 years ago I noticed a problem in XmlHttpRequest’s implementation in IE – IE doesn’t validate some critical fields that are provided by the user [1]. Back at that time, the attack vector was through an XSS condition, but the basic flaw (and other, related flaws) renders itself nicely to other conditions, which we’ll see below.

The techniques discussed below allows the attacker (given the right conditions) to perform:

  • Referer spoofing (for leeching and for complete client-side
    MITM attack)
  • HTTP Request Smuggling, HTTP Response Splitting and
    Web cache poisoning
  • Accessing content / web-scanning

Related Content:

  • Microsoft fixes object type flaw in IE
    Microsoft's security team burned the midnight oil Friday to bring you MS03-040, a fix for the object type vulnerability in Internet Explorer used by...
  • IE 'object' tag flaw found
    Attackers could launch malicious code and corrupt system memory by exploiting the latest Internet Explorer flaw. Experts suggest avoiding untrusted...
  • IE 'object' tag flaw found
    Attackers could launch malicious code and corrupt system memory by exploiting the latest Internet Explorer flaw. Experts suggest avoiding untrusted...
  • Exploit code targets IE memory corruption flaw
    Update: Security experts warn of proof-of-concept code for a memory corruption flaw in Internet Explorer. One firm recommends disabling Active...
  • Exploit code targets IE memory corruption flaw
    Update: Security experts warn of proof-of-concept code for a memory corruption flaw in Internet Explorer. One firm recommends disabling Active...

Posted by Dion Almaer at 9:38 am
1 Comment

+++--
3.8 rating from 68 votes

1 Comment »

Comments feed

The biggest problem facing mobile devices is that they have a cumbersome user interface and the user experience is not consistent across devices.

The technology jobber poses the question about the correct UI for the mobile devices and speculates if AJAX could be adopted to it.

Comment by Ben — October 2, 2005

Leave a comment

You must be logged in to post a comment.