Javascript Hijacking

Overview

Javascript Hijacking (sometimes referred to as JSON hijacking) is an attack which targets confidential information transferred using JavaScript (as is the case with AJAX). It potentially allows an unauthorised attacker to view the information being communicated.

What makes a site vulnerable?

The attack exploits a loophole in the Single Origin Policy, which permits JavaScript from any website to be included and executed in the context of pages retrieved from any other website. The policy does not allow the destination website to directly view data contained within the JavaScript. However, that website may be able to cause the JavaScript to be executed in such a way that its contents can be revealed or inferred. This attack allows the attacker to discover private user information contained in a Javascript reply from an AJAX-enabled website. To obtain this reply, the attacker must first submit a forged user request to the website, something which can be achieved via a cross-site request forgery attack.

Impact of the attack

In combination with a CSRF attack, successful JavaScript hijacking allows an attacker to control an AJAX-based comms channel with the user’s credentials. Via observation of the received communications the attacker will be able to learn the user’s private details, contact information and financial information. The attacker may also be able to modify this information, but that would be achieved by the cross-site request forgery rather than the JavaScript hijacking component of the communication. The vulnerability permitting JavaScript hijacking appears be present only in Mozilla-based browsers (such as Firefox).

Preventing the attack

One method of prevention is to avoid the use of Javascript as a data transport mechanism where possible. Traditional (non-JavaScript) communication is not vulnerable to Javascript Hijacking. Standard techniques for preventing cross-site request forgeries can also prevent the attack, such as one-time tokens (which can be stored in the session cookie to which the target site is forbidden access by the Single Origin Policy). Javascript hijacking relies on the ability of the destination website to execute the JavaScript it receives. By making the JavaScript sent from the site non-executable, the attacker will be unable to execute and infer its contents.