« CVSS for Penetration Test Results (Part II: Attack Sequences) | Main | The First Few Months of Penetration Testing: What they don't teach you in School »

24 September 2012

Comments

Good explanation.
Does it work on latest browsers (IE8) ?

Article is good. Keep it up!
But can you explain if you meant Cross Site Scripting rather than Cross Site Request Forgery. As, in my knowledge, an attacker can not access data using csrf attack but can generate an unauthorized requests from a victim’s machine to improperly initiate an action. So, its the victims machine which will receive the response and not the attacker's machine. In simple, CSRF can not be used to view someones data. XSS can be used to perform CSRF as well as to access the data, other than lot other flavors of the attacks like defacing, hijacking, etc.

The most easy way to prevent that is to always return JSON data as part of an object literal.
A valid JSON document can be a string, number, a boolean, null, an array literal, or an object literal.
In JavaScript, expressions are usually valid statements, which is why JSON data can potentially be executed as a script, with the exception of the object literal notation. If the document start by the curly brace of the object notation, it won't be valid script and then won't be executed. This hack will then not be able to access to the data.

In simple words, never return directly an Array, embed it into an object:
{"result": [{"id":"1001","ccnum":"4111111111111111","balance":"2345.15"},{"id":"1002","ccnum":"5555555555554444","balance":"10345.00"},{"id":"1003","ccnum":"5105105105105100","balance":"6250.50"}]}

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment