Ok, so I'm developing a web app that has begun to be more ajaxified. I then read a blog that talked about javascript hijacking, and I'm a little confused about when it's actually a problem. I want some clarification
Question 1:
Is this the problem/vulnerability?
If my site returns json data with a 'GET' request that has sensitive
information then that information can get into the wrong hands.
I use ASP.NET MVC and the method that returns JSON requires you to explicitly allow json get requests. I'm guessing that they are trying to save the uninitiated from this security vulnerability.
Question 2:
Does the hijacking occur by sniffing/reading the response as it's being sent through the internet? Does SSL mitigate that attack?
Question 3:
This led me to ask this question to myself. If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?
Question 4:
Can I safely mitigate against THIS vulnerability by only returning JSON with a 'POST' request?
The post you linked to is talking about CSRF & XSS (see my comment on the question), so in that context:
Is this the problem/vulnerabiliy ("If my site returns json data with a 'GET' request that has sensitive information then that information can get into the wrong hands.")?
No.
Does the hijacking occur by sniffing/reading the response as it's being sent through the internet?
No.
If I'm storing page state in local javascript object(s) of the page, can someone hijack that data(other than the logged in user)?
It depends. It depends on whether you're storing the data in cookies and haven't set the right domain, or path. It depends on whether there's a security vulnerability on the client browser that would allow a script to gain access to data that typically is restricted. There are numerous other vectors of attack, and new ones are discovered all the time. The long and the short of it is: don't trust the browser with any confidential or secure data.
Can I safely mitigate against THIS vulnerability by only returning JSON with a 'POST' request?
No (it's not a single vulnerability, it's a set of classes of vulnerabilities).
Well you can check if there was a get and if the get was from a correct referrer.
You are not really much safer getting it from a POST because that is just as easy to simulate.
In general there are a lot of things you can do to prevent cross site forgery and manipulation.
The actually vulnerability is being able to overwrite Array
.
If one overwrites the native Array then one get's access to the JSON data that's constructed as an Array.
This vulnerability has been patched in all major browsers.
You should only worry about this if your clients are using insecure browsers.
Example:
window.Array = function() {
console.log(arguments);
// send to secret server
}
...
$.get(url, function(data) { ... });
When the data
is constructed if there are any arrays in the returned JSON the browser will call window.Array
and then that data in that array gets send to the secret server.