#557 closed defect (invalid)

Potential XSS vulnerability when using JSON

Reported by: taral Owned by:
Priority: minor Milestone: undecided
Component: code-frontend-web Version: 1.2.0
Keywords: security jsui webdrive Cc:
Launchpad Bug:

Description

Any JSON return that has an array at toplevel is vulnerable to a cross-site scripting vulnerability by setting an Array constructor before transcluding the JSON source in a <script> tag. The Array constructor will run in the JSON source context, exposing any site-private data e.g. cookies.

Change History (5)

comment:1 Changed at 2009-03-08T22:00:50Z by warner

  • Component changed from unknown to code-frontend-web
  • Owner nobody deleted

comment:2 Changed at 2010-04-13T22:53:25Z by davidsarah

  • Keywords security jsui webdrive added
  • Resolution set to invalid
  • Status changed from new to closed
  • Summary changed from Potential XS vulnerability when using JSON to Potential XSS vulnerability when using JSON

In Tahoe v1.6.1, we don't have any JavaScript as part of the open-source project. There are proposals to add some: Tahoe Explorer (#1000), the two GSoC projects involving JavaScript (blog and music app), and the allmydata.com webdrive UI (#669). These could be subject to the issue in the description, but only if they used eval or transclusion in a <script> as a way of parsing JSON. Don't do that.

For Tahoe Explorer, the code currently attached to #1000 relies on there being a top-level JSON global providing a safe JSON.parse method conforming to ECMAScript 5.

In any case, to set the Array constructor (or any other global), an attacker must already have been able to run their unrestricted JavaScript code in the same context. If they are able to do that, our security against XSS would unavoidably be toast regardless of any use of JSON.

comment:3 Changed at 2010-04-14T06:27:54Z by taral

  • Resolution invalid deleted
  • Status changed from closed to reopened

I believe you may have misunderstood the nature of the attack.

evil.com/attack.html: <script>SetArrayConstructorToEvil?()</script> <script src="http://tahoe.example/data.json"></script>

Now evil.com has access to cookies etc. on tahoe.example.

comment:4 follow-up: Changed at 2010-04-15T01:37:19Z by davidsarah

That is not how array construction behaves in any recent browser. The literal array syntax ([...]) creates a built-in array using the original constructor; rebinding the Array constructor (or the Object constructor) will have no effect. It is possible to change the behaviour of Array or Object methods, but JSON interpreted as JavaScript does not contain any method calls that will run with the origin of the victim site.

Firefox 2 had the behaviour you describe, but that was purely a browser bug, and FF2 is also vulnerable to other bugs that allow arbitrary code execution.

comment:5 in reply to: ↑ 4 Changed at 2010-04-15T01:43:20Z by davidsarah

  • Resolution set to invalid
  • Status changed from reopened to closed

Replying to davidsarah:

That is not how array construction behaves in any recent browser. The literal array syntax ([...]) creates a built-in array using the original constructor; rebinding the Array constructor (or the Object constructor) will have no effect.

Also, note that if evil.com/attack.html contains:

<script>SetArrayConstructorToEvil?()</script>
<script src="http://tahoe.example/data.json"></script>

The first script block will change the Array constructor in the context belonging to evil.com, not the context belonging to tahoe.example. If it were possible for it to change the latter, then every site containing any file parseable as JavaScript would be trivially vulnerable to XSS.

Note: See TracTickets for help on using tickets.