« XST Strikes Back (or perhaps "Return from the Proxy"...) | Main | Good worms back on the agenda »

Misunderstanding Javascript injection: A paper on web application abuse via Javascript injection

UPDATED: 1/30/06 Response from Author
"Just to inform you that the malicious code mentioned to you was actually partly research for the paper. If you take a look at the latest version (with lynx if you like), I now refer to the clipboard issue in issue 3 (this was introduced in 1.2.0 of my paper. The code that was previously included in the page simply logged a 404 in my error logs for each success, I'm intending to run these logs through a log processor so that I can get a better understanding of vulnerable IE versions still in the wild and whether there is a significant variation in success dependent on the carrier web site.

To clarify, the code itself has been removed. Once the balloon went up, as it were there was no further benefit in keeping it there, since any future results would be quickly be skewed by publicity.

From what I understand, the clipboard issue only affects IE. The point of the paper is that legitimate features can be used in an unorthodox manner and that these features carry far more risk than is currently perceived by many people including those in the industry. XSS attacks aren't just about stealing cookies. IMO a feature such as this, which was flagged up in 2002 should by now have been dealt with and yet it has been allowed to remain.

I make the point in my paper that really it would be beneficial for far more granular security to be put in place within browsers which should include the use of PKI signing of Javascript code. This would allow browsers to correctly identify legitimate Javascript introduced by the developer as opposed to rogue code introduced via a XSS attacks. The overall risks highlighted in the paper are faced by every single one of us on a daily basis and therefore need to be better understood." - Tim

1/29/06 IMPORTANT UPDATE: A viewer has brought to my attention that the site linked in this story contains malicious javascript using a well known vulnerability to copy clipboard data and send it to an attackers site. For this reason I have removed the clickable link. If you want to read more about this article be warned of the URl that you are going to visit. - CGISecurity Staff

"Some months back, a colleague and I were kicking around some ideas for a cross platform XSS born virus[1]. He ended up writing a paper on it and I didn't. Whilst it is common to see the issue of Javascript injection on the various security oriented mailing lists, there are issues I've not seen much mention of, this paper seeks to rectify that." - Tim Brown

Article Link (View with Caution): http://www.nth-dimension.org.uk/news/entry.php?e=156579087


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!