The Register® — Biting the hand that feeds IT

Feeds

JavaScript hijacking - a new exploit, or not?

Have you heard it all before?

By David Norfolk, 3rd April 2007

Free ESG report : Seamless data management with Avere FXT

I've had an email comment on my JavaScript Hijacking piece to the effect that everyone knows that you do your input validation on the server and that data you send down in JavaScript or in HTML is unsafe - so this really isn't a new exploit.

Well, that first part is true enough, but I disagree with the second. However, Brian Chess is about to put up a JavaScript Hijacking FAQ in the Fortify Software site, so I thought (in the best journalistic tradition) I'd nick his comment on this point.

"While it is true that the client can see any messages the server sends, this is not the scenario where JavaScript Hijacking applies. JavaScript Hijacking involves a vulnerable website, a victim with a web browser, and a malicious website. The malicious website can use JavaScript hijacking to steal the victim's data from the vulnerable website. Web browsers prevent this in most cases, but the browser makers did not anticipate the use of JavaScript to communicate confidential data," he says.

I'll also note that Fortify's advisory, referenced in the original article, explains this new exploit in great detail and, I think, makes clear what is new about it. ®

5 ways to reduce advertising network latency

Whitepapers

Microsoft’s Cloud OS
System Center Virtual Machine manager and how this product allows the level of virtualization abstraction to move from individual physical computers and clusters to unifying the whole Data Centre as an abstraction layer.
5 ways to prepare your advertising infrastructure for disaster
Being prepared allows your brand to greatly improve your advertising infrastructure performance and reliability that, in the end, will boost confidence in your brand.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Email delivery: Hate phishing emails? You'll love DMARC
DMARC has been created as a standard to help properly authenticate your sends and monitor and report phishers that are trying to send from your name..
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Search more Resources

More from The Register

next story
Windows 8 fans out-enthuse Apple fanbois
Redmond allows 81 Win 8 devices to use one user ID, solving side-loading shemozzle
66
'200 million' fanbois using iOS 7 just a week after release - study
Plus: Most US iDevice users are drinking Cupertino's latest Koolaid
46
No luck at all for BlackBerry as Messenger apps launch stalls
Leaked Android build 'causes issues,' is withdrawn
32
Google's latest PRIVACY MELTDOWN: Web chats sent to WRONG people
Now your buddies can play NSA spook
32
App Store ratings mess: What do we like? Sigh, we dunno – fanbois
How do I know what to download if I don't know what everyone else is doing?
25
Ubuntu 13.10: Meet the Linux distro with a bizarre Britney Spears fixation
Search me, baby, one more time
84
OUCH: Google preps ad goo injection for Android mobile Gmail app
Don't worry, fandroids, wallet-plumping serum won't hurt a bit
44
Launchpads, catapults... what a load of - WAIT, there's £15m for grabs?
Quango sprinkles cash on games, animation and trendy meeja types
11
Apple iOS 7 makes some users literally SICK. As in puking, not upset
'Eye candy really is as bad as classical candy is for the teeth,' writes one
101
Google reveals its Hummingbird: Fly, my little algorithm - FLY!
Update brings Googleplex one step closer to sentience
26
prev story