http://matasanochargen.disqus.com/enMon, 02 Apr 2007 17:25:06 -0000http://www.matasano.com/log/752/fortifys-announcement-about-jeremiahs-attack-decoded/#comment-2321917It's definitely NOT JSON's fault. I personally don't even think it has anything to do with AJAX.<br><br>What's happening here is this:<br><br>There was a belief that XSRF attacks --- follow a link and, without requiring confirmation, cause an action in a target application --- only allowed you to "create", "update", or "delete", but not "read".<br><br>It turns out there's at least one major scenario in which that isn't true: when the data you want to read is embedded in Javascript, you can hijack prototypes to get at it.<br><br>However, if we never find a way to do something similar with XML, I'll be surprised.<br><br>XSRF-able UI actions shouldn't provide sensitive data. If you audit your application for XSRF flaws, you've defeated this attack. Moreover, the well-known preexisting exploits for XSRF are actually worse than this attack. I think it's much ado over not much, though I think Jeremiah's attack is very clever.Thomas PtacekMon, 02 Apr 2007 17:25:06 -0000http://www.matasano.com/log/752/fortifys-announcement-about-jeremiahs-attack-decoded/#comment-2321916As I understand what you're saying, the vuln isn't JSON's fault, per se. If you're hooking into an AJAX app that uses XML to move data around, you can still proxy the XMLHTTPRequest and get that nice, sensitive data from a DOM tree.<br><br>That doesn't make the rest of what you say any less true, but it sounds like you're accusing JSON of being inherently insecure, when the problem is Javascript and how it's deployed in the browser. It's a very trusting (and trusted) language in a hostile environment.<br><br>As an aside, I hope web developers are at least being told never to just eval JSON data. Just because you can doesn't mean you should.Phil GroceMon, 02 Apr 2007 17:12:46 -0000http://www.matasano.com/log/752/fortifys-announcement-about-jeremiahs-attack-decoded/#comment-2321915Think of all the code written in C and PHP, and ask yourself whether people are going to pick a language because it is more or less secure.<br><br>The problem with Javascript isn't the language. It's the setting. The idea of executing code controlled by hostile content in any programming environment is sort of insane.Thomas PtacekMon, 02 Apr 2007 17:02:51 -0000http://www.matasano.com/log/752/fortifys-announcement-about-jeremiahs-attack-decoded/#comment-2321914Dynamic languages are awesome. They're also freakin' scary for us security folks -- I remember reading about Obj-C method swizzling for the first time, and thinking "Oh dear god...".<br><br>Maybe there's a middle ground in language design, somewhere with (most of) the benefits of dynamism, but without fear-inducing "features" like being able to redefine the guts of the runtime. Not that I've given this idea any deep thought, though; am I completely out in left field with that suggestion? Or, better yet, has somebody already designed a language like that?MattMon, 02 Apr 2007 16:33:22 -0000http://www.matasano.com/log/752/fortifys-announcement-about-jeremiahs-attack-decoded/#comment-2321913Speaking of code injection, I learned today that one of the encoding types that flickr supports is php. As in, they give you a block of PHP code to execute and Good Things Happen(tm). JSON is bad enough, having a 3rd party (over plaintext http or non-certificate-verifying https, no less) hand you code to execute is madness.<br><br>Really, parsing isn't that hard.Jeremiah BlatzMon, 02 Apr 2007 15:03:22 -0000