Home/ Questions/Q 913623
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T17:35:29+00:00

I’m aware that there is a Cross site forgery attack that can be performed

  • 0

I’m aware that there is a Cross site forgery attack that can be performed on a request that returns an array by overloading the Array constructor. For example, suppose I have a site with a URL:

foo.com/getJson

that returns:

['Puff the Dragon', 'Credit Card #']

This would normally be Javascript eval‘d by my own site after an XHR request, but another site can sniff this data by including something like:

<script>
function Array() {
  var arr = this;
  var i = 0;
  var next = function(val) {
    arr[i++] setter = next;
    document.write(val);
  };
  this[i++] setter = next;
}
</script>
<script src="http://foo.com/getJson"></script>

My question is, can the same thing be done when the request returns a Javascript object? i.e.

{ name: 'Puff the Dragon', cc: 'Credit Card #' }

I couldn’t figure out a way to do this, but maybe I’m missing something. I know there are better solutions to protect my site, like using the while(1) hack or requiring an auth token in the URL, but I’m trying to figure out if this sort of security hole exists.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The sources I’ve seen, such as Haacked and Hackademix, specifically indicate that root objects are safe (presumably in all major browsers). This is because a script can not start with an object literal. By default, ASP.NET wraps both objects and arrays with a d prefix, but I think this is just to simplify the client library.

    • 0