Object.prototype.* writable?
Kyle Simpson
getify at gmail.com
Sat May 7 13:17:01 PDT 2011
>> Again, a "smart library" can only do that if it's guaranteed to be the
>> first code to run on the page. If not (which is usually the case), then
>> all bets are off, unless the language offers some protections.
>
> All bets are probably still off. The malicious code that's first can load
> the latter virtuous code as data using cross-origin XHR, or, if the script
> isn't served with an "Access-Control-Allow-Origin: *", via server-side
> proxying. Then the malicious code can rewrite the virtuous code as it
> wishes before evaling it.
My first reaction to this assertion is to say: "so?" It's a rather moot
argument to suggest that code which can be altered before it's run isn't
trustable... of course it isn't. The malicious coder in that scenario
wouldn't even need to go to the trouble of overwriting Object.prototype.* in
the frame, he could just remove the offending if-statement altogether. In
fact, he wouldn't even need to modify my code at all, he could just serve
his own copy of the .js file. .... ... .......
So what are you suggesting? That regardless of the JS engine, no page's JS
functionality is actually reliable, if any of the page's JS resource authors
are dumb and don't configure CORS headers correctly, because any malicious
script (if it's first on the page) can completely hijack another part of the
page? Yup, I agree.
This is a rabbit trail that I'm weary to go down, but I'll just indulge it
for one quick moment.... if you are enabling CORS on your server, and not
protecting your JavaScript code, you're asking for someone to exploit your
code in some XSS type of attack. The whole original purpose of SOP (same
origin policy) was to prevent (or cut down significantly) on such things,
especially as they relate to being able to trick the browser into sending
along cookies/sessions to locations that allow a server to act as
man-in-the-middle. If CORS basically completely eliminates any of the
protections that SOP gave us, then CORS is a failed system.
But CORS is only failed if you do it wrong. I suspect that's part of the
reason CORS is slow to wide-spread adoption (despite plenty of browser
support, except Opera), because it's harder to get it right without throwing
the barn door wide open. FWIW, I see most implementations of CORS only being
on limited URL locations (sub-domains) which are purely web service/REST
API's, not general web server roots. That's not to say that noone is doing
it wrong, but it is to say, that them doing it wrong is irrelevant to this
discussion, because it moots the whole premise.
------------
All this is a moot discussion though, because malicious take-over's of a
page are nothing but an exotic edge case, and only enabled if people "do it
wrong". The original request stemmed NOT from the malicious hacker scenario,
nor from a page "doing it wrong" (per se), but from the "oops, some other
piece of dumb code earlier on the page accidentally screwed up and collided
with something I need to be inviolate."
> I've been at this for a while, as has Crock. I doubt there's any realistic
> scenario where code loaded later into an already corrupted frame can
> usefully defend its integrity. If you know of a way to defend against this
> rewriting attack, please explain it. Thanks.
Off the top of my head, it would seem at first glance that creating a new
iframe for yourself might be the only such way (that is, of course, if you
even *are* yourself, and haven't been transparently modified or replaced --
see above).
I'm sure both of you are way more experienced at this than me (after my 12
year web dev career so far). But I think you're trying to derail the narrow
spirit of my original question by deflecting to much bigger questions. The
appropriate forum for that type of discussion was when CORS was being
conceived and brought about. As people love to say on this list: "that ship
has sailed".
None of this exotic "what-if" scenario indulgence invalidates my original
request, that a clearly known bad-practice (changing *some*, not all,
particular behaviors of natives) leads to code that is less than reliable,
and can we make it a little less so by having the engine protect certain key
pieces.
-----------
And btw, contrary to some people on this list who seem to operate almost
exclusively on theoretical principle, "security through deterrence" (not the
same as "obscurity") is a long-established and perfectly valid approach. No
computer system (SSL included) is completely immune to attack... we live
with somewhat less than ideal theoretical utopia because we construct
systems which are "pretty good" at deterrence, and with that we sleep
peacefully at night.
What I'm suggesting should be viewed as another peg in the system of
deterrence, and nothing more.
--Kyle
More information about the es-discuss
mailing list