Tweet
I just noticed something of a huge security hole in Internet Explorer which isn't present in Firefox, Opera, or Safari.
Firefox, Opera, and Safari will not let you make AJAX requests to any host other than the one you loaded the web page/JavaScript from originally. Attempting to do so will get you a "Permission denied" error on the JavaScript console.
IE, however, will seemingly allow you to make AJAX requests wherever you wish. This allows for a whole number of cross-site scripting attacks, all of which will be completely user transparent. One is outlined below:
Our happy IE user is browsing the web, feeling safely nestled away behind a firewall/proxy server. This user works on internal documents on an internal web server quite often, and uses cookies to bypass login attempts to the server.
An attacker magically knows the internal hostname and address of a particular resource which is, in theory, not only password protected (but increasing convenience by saving login info with cookies), but locked away from the commodity Internet via a firewall, and only allows outbound Internet connections via the proxy server.
Happy IE user receives e-mail or some other sort of invitation from the attacker to visit a particular web page. Happy IE user visits the web page, and sees a stupid flash animation or some other distraction.
However, completely transparent to Happy IE user's distracting experience, a JavaScript embedded in the page makes an AJAX request to the protected internal web server. Session cookies allow the script access to the protected resource. It is fetched and stored in the XMLHTTP.responseText variable.
Another AJAX request is instigated, this time to a server set up to receive the file. AJAX uses the system's proxy settings, and an AJAX POST request dumps the file onto the attacker's server via the proxy. Happy IE user is none the wiser, and unless they actually looked at the JavaScript source in the page or had a traffic analyzer running, they'd never notice that sensitive internal information had been compromised.
The moral of the story: Don't use IE
Firefox, Opera, and Safari will not let you make AJAX requests to any host other than the one you loaded the web page/JavaScript from originally. Attempting to do so will get you a "Permission denied" error on the JavaScript console.
IE, however, will seemingly allow you to make AJAX requests wherever you wish. This allows for a whole number of cross-site scripting attacks, all of which will be completely user transparent. One is outlined below:
Our happy IE user is browsing the web, feeling safely nestled away behind a firewall/proxy server. This user works on internal documents on an internal web server quite often, and uses cookies to bypass login attempts to the server.
An attacker magically knows the internal hostname and address of a particular resource which is, in theory, not only password protected (but increasing convenience by saving login info with cookies), but locked away from the commodity Internet via a firewall, and only allows outbound Internet connections via the proxy server.
Happy IE user receives e-mail or some other sort of invitation from the attacker to visit a particular web page. Happy IE user visits the web page, and sees a stupid flash animation or some other distraction.
However, completely transparent to Happy IE user's distracting experience, a JavaScript embedded in the page makes an AJAX request to the protected internal web server. Session cookies allow the script access to the protected resource. It is fetched and stored in the XMLHTTP.responseText variable.
Another AJAX request is instigated, this time to a server set up to receive the file. AJAX uses the system's proxy settings, and an AJAX POST request dumps the file onto the attacker's server via the proxy. Happy IE user is none the wiser, and unless they actually looked at the JavaScript source in the page or had a traffic analyzer running, they'd never notice that sensitive internal information had been compromised.
The moral of the story: Don't use IE
Comment