Wednesday, July 26, 2006

Where the next BIG attacks will come from

This morning I caught a post on webkitchen describing an idea for implementing safe cross-domain XHR using an opt-in method (by the destination server). A neat idea that I'll have to give more thought to. Clearly web developers need this kind of functionality to create ever better web apps. What caught my attention was near the bottom of the post:

"Clientside cross-domain data requests are an extremely useful tool. They can only currently be done (in Javascript) using the script-tag workaround to deliver data as JSON.

External JSON is extremely dangerous as it is arbitrary third-party code executed in the scope of the current web-page. It can be used to steal passwords or data present in the current scope. "
The author has it right, calling in external JSON is extremely dangerous. However, this explanation doesn't go far enough. Anytime you call JavaScript includes onto your web page from a third-party it carries the same risk. After all it is possible for the data feed to contain JavaScript Malware which is capable of doing many nasty things to your visitors (including stealing passwords). Also included in the risk profile are JS traffic counters, advertising banners, rss feeds, weather display, clocks, etc etc. You know, web page widgets.

I eluded to this eventuality in my white paper on Cross-Site Scripting Worms and Viruses. In my opionion this is the likely attack vector for the next BIG attacks on the Web.


Peter Nixey said...


Thanks for the kind comments, I'm glad you found the article thought provoking.

I am in complete agreement with you on the security issues associated with cross-domain Javascript.

We've spent the last 20 years making our operating systems more and more secure and our browsers bomb-proof. Unfortunately many of us now do most of our work inside the browser itself and outside the firewall.

It's only going to take one semi-successful Web 2 or MySpace add-in company with a neat little blog widget that surreptitiously harvests document data and we're going to see passwords disappearing everywhere.

I personally think that the answer lies in segmenting scope within the browser.

We have to get the tools to ringfence foreign code and data or else things are going to get very messy indeed.

Jeremiah Grossman said...

Yah, I think right now, security on the Web is basically completely broken. User have no way to protect themselves. Things wouldn't be so bad if the browser vendors were actively working on something, but their not. What you can do with JS is so amazing now, hard to tell where we go from here. There are lots of ideas, just no implemenation.