Pie Palace

I ran across a neat attack on online services that uses the browser’s cookie-cache and JavaScript runtime as the attack vector. The attack requires that the target service uses cookies for authentication; the service uses a constant URL to access sensitive data; the victim’s browser is running JavaScript; and that the victim can be lured to an attacking site.

When the victim’s browser is pointed at the attacking site, the attacking site serves up some malicious JavaScript. The JavaScript requests the sensitive data at the well-known URL. The browser happily complies, feeding the authentication cookie to the service in the JavaScript request. The malicious JavaScript parses the returned page, performing whatever nastiness it chooses on the received data.

The problem is that the service has no way of distinguishing between the legit links it feeds to the user’s browser, and the illegitimate requests coming from the attacking JavaScript. The problem can be solved by moving the authentication token out of a cookie and into the links that the site hands to the browser. Since the JavaScript runtime limits code to touching elements on the page that it loaded, the service should be safe.

Of course, if the authentication token is regenerated every time the user logs in, that means that the user can’t bookmark those secure services. Then again, AJAX often breaks bookmarking anyway, and there’s a big rush to AJAX for absosmurfly everything, so maybe this isn’t such a big deal.