Operator overloading in Javascript 2 and a potential monster CSRF hole

I noticed that Javascript 2 might include operator overloading, including (at least) the ability to overload the < and > operators.

Operator overloading is really useful if you want to write a Complex number class, and really annoying when someone else wants to flex a newly learn skill and uses it for something totally inappropriate. Since authors of Complex number classes are less common than inexperienced programmers, I'm not keen on the idea in general purpose languages.

However, opinions about programming languages aside, I think that operator overloading in Javascript could turn out to be a really bad idea for a totally different reason.

The ultimate CSRF hack, when Javascript 2 comes out, might just be to redefine operators to make XML (or even HTML) a valid language.

You could then steal fairly much steal any cross-domain data by doing a script-tag include on an XML/HTML data source.

I really hope someone has thought of this...

Update: I can see that I didn't explain myself very well, so a quick update might be needed.

If you can overload the < and > operators then it might be possible to do so in such a way that HTML or XML becomes a valid bit of Javascript. This is more likely to be possible with known schema like HTML.

So how would this create a huge security hole? Simply because it would allow an attacker to use a script tag to include some HTML and then read the data using a combination of overloaded < and > operators and the Array/Object data stealing methods.

Currently CSRF is restricted to write-only exploits, and the standard way of protecting yourself includes using authentication data in a hidden form field. If an attacker could read this data too, then the standard protection against CSRF would fail. Also you could use this to steal data from intranets and, I'm sure, there are many other options.

The real worry here is that the designers of the language will, in one spec, have to out-smart crackers for a long time to come. Once websites start using the feature, it can't be easily removed.

Tags : javascript security

Responses[13]

Posted by Joe Walker on 22 March 2007 13:10:15 GMT #

2008 August (0) July (2) June (0) May (2) April (1) March (5) February (2) January (1)	2007 December (4) November (3) October (2) September (0) August (3) July (2) June (1) May (2) April (8) March (11) February (4) January (7)
2006 December (4) November (2) October (4) September (3) August (7) July (3) June (3) May (10) April (3) March (4) February (5) January (3)	2005 December (1) November (7) October (8) September (10) August (5) July (7) June (11) May (6) April (2)

Username
Password
Remember me