#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    4
    Rep Power
    0

    IE Javascript security hole


    I was surprised to discover recently to what extent Explorer leaves your entire webpage vulnerable to data capture and manipulation. I found I could not only access external site variables and form fields from a page located on my desktop, I could write new data to them too! This includes hidden fields which you would think should not be touchable.

    Is there anything that can be done to prevent this? Signed scripts? Anything. I have a game that will otherwise need to be converted to Flash, and would like to avoid the extra work if possible.

    Thanks!

    Paul G
  2. #2
  3. Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Oct 2001
    Location
    New Zealand
    Posts
    1,774
    Rep Power
    25
    What exactly do you mean by manipulation? Do you mean simply saving a page locally, changing the code and using absolute paths to interact with a remote site?

    This isn't anything new, for example, find a form for uploading data that has a hidden field called something like 'max size' and you know you'll be able to alter that and upload files larger than are wanted.

    A lot of people use javascript to manipulate other sites so that they don't have to shift people from their site to incorporate the remote information. For example, streetmap.co.uk offers you the chance to incorporate a link for a map you want, it's easier to just use javascript to create the link yourself.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    4
    Rep Power
    0
    Manipulation as in the kind of thing you mentioned. Try to access any form field from a page not originating from the same domain in Netscape and... oh sorry, that would be tampering. It doesn't let you. That makes perfect sense to me. The same origin security rule of Netscape's was so sensible and basic, and gave javascript a little muscle to work with.

    I can think of numerous interesting and advantageous uses of a hidden form field that the Explorer security stance makes impossible, including a client-side instant win game which I must now convert to Flash to prevent tampering.

    I can understand why scripting form fields would be desirable, but hidden fields? Hidden should mean that the author doesn't want you messing with them, under any conditions.

    Paul
  6. #4
  7. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2001
    Posts
    4
    Rep Power
    0
    Oh. Your example is an excellent one:

    "This isn't anything new, for example, find a form for uploading data that has a hidden field called something like 'max size' and you know you'll be able to alter that and upload files <b>larger than are wanted</b>."

    This boggles my mind. MS doesn't view that as a security issue?

    Paul
  8. #5
  9. Contributing User
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Oct 2001
    Location
    New Zealand
    Posts
    1,774
    Rep Power
    25
    I think Microsoft view a lot of things as security issues but also try to keep things as open as possible. This has caused problems in many circumstances, the Nimda virus used simple javascript to exploit a hole in the IE security.

    One of the scariest things is the MSHTML vulnerabilities, try:

    http://www.microsoft.com/windows/ie/...ity/mshtml.asp

    to see what I mean. Serious stuff. Check out:

    http://www.microsoft.com/windows/ie/...al/default.asp

    for all the scares, and one thing to realise is that these are the ones that MS thinks are 'critical' so how many aren't?

IMN logo majestic logo threadwatch logo seochat tools logo