PART II
Chapter 7: Security Concerns 317
new feature to alert the third character of any string you could simply add the new function
to the String object like so:String.prototype.at3 = function (){alert(this.charAt(2));};
/* remember arrays are zero based */Now if I have a string defined I can access this method at any time.var myName = "Thomas";
myName.at3(); // shows the letter oIf you know JavaScript well, you are likely familiar with the use of the prototype
property and acknowledge this is a core aspect of the language. However, when a hacker
sees this feature they are interested in overriding or extending features of things you trust
like the XMLHttpRequest object as shown here:XMLHttpRequest.prototype.originalOpen = XMLHttpRequest.prototype.open;
XMLHttpRequest.prototype.open = myOpen;
XMLHttpRequest.prototype.originalSetRequestHeader =
XMLHttpRequest.prototype.setRequestHeader;
XMLHttpRequest.prototype.setRequestHeader = mySetRequestHeader;
XMLHttpRequest.prototype.originalSend = XMLHttpRequest.prototype.send;
XMLHttpRequest.prototype.send = mySend;
var myOpen = function(method, url, async, user, password)
{
alert(url); // or send the data some place
this.originalOpen(method, url, async, user, password);
}var mySetRequestHeader = function(header, value)
{
alert(header + ": " + value); // or send the data some place
this.originalSetRequestHeader(header, value);
}
var mySend = function(a)
{
alert(a);
var xhr = this;
var onload = function() { alert(xhr.responseText); };
var onerror = function() { alert(xhr.status); };xhr.addEventListener("load", onload, false);
xhr.addEventListener("error", onerror, false);
xhr.originalSend(a);
}This proof of concept code only alerts the values sent and potentially received, but it
would be easy enough to transmit them to some other location. In some browsers you will
see this technique work partially (http://ajaxref.com/ch7/xhrhijackpartial.html). It should
be particularly interesting to note that because Internet Explorer 6 browsers don’t use a