[ DWR | DocTree | Blog ]
<< DWR News | Home | DWR + OpenAjax Hub + TIBCO GI >>

Operator overloading in Javascript 2 and a potential monster CSRF hole

I noticed that Javascript 2 might include operator overloading, including (at least) the ability to overload the < and > operators.

Operator overloading is really useful if you want to write a Complex number class, and really annoying when someone else wants to flex a newly learn skill and uses it for something totally inappropriate. Since authors of Complex number classes are less common than inexperienced programmers, I'm not keen on the idea in general purpose languages.

However, opinions about programming languages aside, I think that operator overloading in Javascript could turn out to be a really bad idea for a totally different reason.

The ultimate CSRF hack, when Javascript 2 comes out, might just be to redefine operators to make XML (or even HTML) a valid language.

You could then steal fairly much steal any cross-domain data by doing a script-tag include on an XML/HTML data source.

I really hope someone has thought of this...

Update: I can see that I didn't explain myself very well, so a quick update might be needed.

If you can overload the < and > operators then it might be possible to do so in such a way that HTML or XML becomes a valid bit of Javascript. This is more likely to be possible with known schema like HTML.

So how would this create a huge security hole? Simply because it would allow an attacker to use a script tag to include some HTML and then read the data using a combination of overloaded < and > operators and the Array/Object data stealing methods.

Currently CSRF is restricted to write-only exploits, and the standard way of protecting yourself includes using authentication data in a hidden form field. If an attacker could read this data too, then the standard protection against CSRF would fail. Also you could use this to steal data from intranets and, I'm sure, there are many other options.

The real worry here is that the designers of the language will, in one spec, have to out-smart crackers for a long time to come. Once websites start using the feature, it can't be easily removed.

Tags :
Responses[13] RSS feed for responses to this blog entry
Posted by Joe Walker on 22 March 2007 13:10:15 GMT #


Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Ricky Clarkson on 22 March 2007 13:59:46 GMT #
Why should it be the job of the programming language to filter out bad programmers? Surely that's a recruitment issue.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Joe Walker on 22 March 2007 15:03:47 GMT #
I certainly do think it's the job of the language to encourage good programming practices. I think that's one of the reasons that Python is generally liked more than Perl.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Ricky Clarkson on 23 March 2007 13:13:58 GMT #
Encouraging is not the same as enforcing. Will the language still be useful if best practices change, or does the language have to change with fashion?
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Mark Goodwin on 22 March 2007 16:53:10 GMT #

The issue here isn't about whether the language stops programmers from shooting themselves in the foot; it's more about whether the new language feature breaks the web:

Currently, you can make use of script src attributes to perform CSRF on and steal information from applications which provide JSON data at predictable URLs. This is limited to JSON data / valid javascript as the javascript parser will baulk at anything else.

If, however, you're able to override operators such as <, > and / then XML and HTML become potentially valid JavaScript, so you can potentially put hooks into various Javascript constructors (see this post) to steal data in other forms.

Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Neil Mix on 22 March 2007 15:54:18 GMT #
Joe, here's the JavaScript 2 language proposal for operator overloading.

If you still have concerns after reading the proposal, you should drop a note to the discussion list -- I'm sure they'd love to hear your insights.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Anonymous on 23 March 2007 09:06:29 GMT #
Hi Joe, I'm sorry if this is off topic. I'm wondering why dwr fails in a virtual shared server environment. It seems that it can't find the javascript files. Any comment?
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Kris Zyp on 23 March 2007 15:31:33 GMT #
I don't believe operator overloading changes the syntax of JavaScript. It changes the meaning of the operators. The parser (the mechanism to convert the text into an AST) is not affected at all by operator overloading. I tried looking at some examples of html and xml and I believe most xml and html won't make it past the first line. This is partly because it remains constant in JavaScript that < and > are binary operators and not unary operators. It is not explicit in the spec, but it appears that JS2 does NOT provide a mechanism to make a binary operator into a unary operator. Starting an expression with < necessitates that < be an unary operator, and I don't believe that is possible. However, I would agree that the spec should make that clear though.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Anonymous on 24 March 2007 20:01:54 GMT #
I would be much more concerned about E4X than JS2 for this. Sure, operator overloading can be used maliciously, but typed code should provide the necessary security.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Joe Walker on 24 March 2007 22:03:07 GMT #
Good point about E4X, I'd not thought about that, however see Brendan's reply - it seems that he has ...
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Joe Walker on 24 March 2007 22:02:10 GMT #
On the EcmaScript4 mailing list Brendan replied as follows:

Hi Joe, you raise a good point about CSRF, but I think it is misdirected against the operator proposal. Have you had a chance to read http://developer.mozilla.org/es4/proposals/operators.html yet? Note that this is not "operator overloading" in the C++ sense. We are not add instance method overloading with dispatch based on argument types as well as the type of the receiver object (the |this| parameter).

See also http://developer.mozilla.org/es4/proposals/normative_grammar.html for how ECMA-357 (E4X) syntax is reserved.

In ES3 + E4X and ES4, / and < either are binary operators, or lexical delimiters introducing regexps and XML literals respectively. This is already implemented in JS1.6+ and AS3. But the role of such characters can't be modified by any static operator method definition -- it is strictly determined by the grammar. In operator position (in an operator precedence parser), / and < are dyadic operators. In operand position, they start distinct lexemes.

Since the only way to define operators is by static class methods, and you can't extend existing classes with new static methods, the only hazard is that one can load E4X using a script tag across origins. This enables CSRF attacks on XML data inside firewalls which may lack any access control because the intranet designers assumed the firewall was enough. Such attacks are not possible with XMLHttpRequest given its current same-origin restricting. This problem is mitigated somewhat by E4X's basis in XML 1.0, its limited support in browsers, and its inability to load schemas or DTDs.

This is one good reason (we have others) for not folding E4X into ES4.

Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from chain saw on 31 August 2007 20:17:21 BST #
There has been a lot of talk lately about the standardization of JavaScript. Why is this something that is just now being talked about? I think it would simplify things a lot for people trying to use it. I am surprised that this has not been done before now. If there is not one set way for something as widely used as Java, would not a lot of problems could arise from people doing even the slightest different in anything? Anyone working on it would run into a wall with just one character being any different. And now there is debate about if it should be standardized? How can anyone have any doubts about this? I just do not see the point of anyone not wanting it to be uniform. I can see there could be a lot of problems that could arise from the current standing of the program.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Pet portrait artists on 21 December 2007 09:56:22 GMT #
JS has been one of the most confusing and fast-changing languages in the world of programming. Because of this, I had to give it up and pass it on to the younger youths. I believe though that this one is something they might have missed. I’ll be glad to forward your post to our tech team.
Reply

Re: Operator overloading in Javascript 2 and a potential monster CSRF hole

Comment from Jonah Dempcy on 22 April 2008 23:50:13 BST #
I posted an article about overloading functions with type signatures. I guess you could call it a hack, but I think some method overloading is nice, like how jQuery, MooTools or Prototype allow you to provide either the id of an HTML object as a string or a reference to the object itself. That being said, it is by no means a necessary feature and adding additional overhead and boilerplate code for defining functions is a sub-par solution. I guess the solution proposed in my article is best suited for theoretical debate, not production code, but it still makes for an interesting analysis.

Add a comment Send a TrackBack