Hi Stefano, Yes, we are aware of your paper, but we intentionally chose to omit the reference because we are quite snobby. I'm joking! I hadn't seen your paper previously. It was a good read.
The difference between what you discuss and JavaScript Hijacking is that we do not assume the presence of another defect. JavaScript Hijacking does not require the existence of a cross-site scripting vulnerability or the like. It's a new attack technique (and a new vulnerable code pattern), not a new method for exploiting an existing class of vulnerabilities. Thanks, Brian > From: Stefano Di Paola <[EMAIL PROTECTED]> > Date: Mon, 02 Apr 2007 11:11:24 +0200 > To: "sc-l@securecoding.org" <sc-l@securecoding.org> > Cc: Brian Chess <[EMAIL PROTECTED]> > Subject: Re: [SC-L] JavaScript Hijacking > > Brian, > > i don't know if you read it but me and Giorgio Fedon presented a paper > named "Subverting Ajax" at 23rd CCC Congress. > (4th section XSS Prototype Hijacking) > http://events.ccc.de/congress/2006/Fahrplan/attachments/1158-Subverting_Ajax.p > df > > It described a technique called Prototype Hijacking, which is about > overriding methods and attributes by using contructors and prototyping. > It was described how to override XMLHttprequest object, but it was > stated that it could be applied to every prototype. > > If you didn't read it, please read it and add some reference to your > paper. > If you read it: > - i think we deserve at least reference to our paper. > - even if you covered JSON hijacking, the technique is the same and the > name (Javascript Hijacking) is quite similar. > > Regards, > > Stefano > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
