Hi Stefano,

Yes, we are aware of your paper, but we intentionally chose to omit the
reference because we are quite snobby.  I'm joking!  I hadn't seen your
paper previously.  It was a good read.

The difference between what you discuss and JavaScript Hijacking is that we
do not assume the presence of another defect.  JavaScript Hijacking does not
require the existence of a cross-site scripting vulnerability or the like.
It's a new attack technique (and a new vulnerable code pattern), not a new
method for exploiting an existing class of vulnerabilities.


> From: Stefano Di Paola <[EMAIL PROTECTED]>
> Date: Mon, 02 Apr 2007 11:11:24 +0200
> To: "sc-l@securecoding.org" <sc-l@securecoding.org>
> Cc: Brian Chess <[EMAIL PROTECTED]>
> Subject: Re: [SC-L] JavaScript Hijacking
> Brian,
> i don't know if you read it but me and Giorgio Fedon presented a paper
> named "Subverting Ajax" at 23rd CCC Congress.
> (4th section XSS Prototype Hijacking)
> http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.p
> df
> It described a technique called Prototype Hijacking, which is about
> overriding methods and attributes by using contructors and prototyping.
> It was described how to override XMLHttprequest object, but it was
> stated that it could be applied to every prototype.
> If you didn't read it, please read it and add some reference to your
> paper.
> If you read it:
> - i think we deserve at least reference to our paper.
> - even if you covered JSON hijacking, the technique is the same and the
> name (Javascript Hijacking) is quite similar.
> Regards,
> Stefano

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to