asp.net ajax is vulnerable
I'm Brian Chess, one of the authors of the original JavaScript Hijacking paper. Checking for application/json in the content-type header is not enough to prevent JavaScript hijacking. An attacker can simply request the data twice.
Here’s a two-step attack that bypasses the check:
1) The attack code uses the Adobe Flash player to request the JSON. By using Flash, the attack can set the content-type header correctly. However, it can’t directly see the response. (For more on setting http headers using flash, see http://www.securityfocus.com/archive/1/441014)
2) The attack code now generates a <script> tag and requests the data again. The second time around, the Web browser doesn’t go up to the server, it takes the data out of its cache. This time the attacker gets access to the data.
Atlas doesn’t allow HTTP GET by default, and it doesn’t instruct the web browser to cache by default, but some people recommend using GET and caching responses in order to improve application performance. Oops!
As with the rest of the frameworks we analyzed, we recommend that Atlas take active steps to prevent JavaScript Hijacking.
Biting the hand that feeds IT
