324 Part II: Developing an Ajax Library^
they use CSRF to have the user make requests at Google like so http://www.google.com/
search?hl=en&q=Super+Bad+Thing. Now, instead of the query for “Super Bad Thing”
how about issuing a query for something extremely inappropriate related to criminal,
terrorist, or extremely social unacceptable activity? We’ll let your imagination fill in the type
of query, but this might be used to frame or harass sites or individuals in a gas-lighting
manner. They might even request large downloads from a site to waste a target site’s
bandwidth or resources. There seems to be endless opportunity for mischief making.
The idea of CSRF seems so innocuous—shouldn’t you be able to issue a request like
<img src="http://ajaxref.com/images/logo.gif" /> or <script src="http://
ajaxref.com/lib/lib.js">? It would seem that is the heart of linking, but as you will
see shortly, not all links are good, and with certain types of payloads they can be quite
dangerous indeed.
So let’s move away from the abstract attack to the specific CSRF attack that relates to
Ajax and its currently favored data type JSON.CSRF Attacks on JSON, JSONP and Script Responses
As you should recall from Chapter 4, JSON (JavaScript Object Notation) is a compact and
easy to use data format growing in popularity with Ajax applications. It also unfortunately
can be abused. For example, log in to the AjaxBank example at http://ajaxref.com/ch7/
jsonarray.php and you might retrieve your bank account information using an Ajax request
that returns a JSON array payload shown here:You could trigger a request to http://ajaxref.com/ch7/getaccounts.php in a variety of
ways, including a <script> tag. The hacker knows this and posts content either directly or
using the DOM to an exploited page like so:<script src="http://ajaxref.com/ch7/getaccounts.php"
type="text/javascript"></script>Such a request then returns the array payload shown previously, as it would send any
credentials currently held by the user since the <script> tag was executing within their trust.