Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos
"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"
If the simple act of a user checking e-mail or visiting a friend??™s MySpace page forces
the browser to perform malicious actions on behalf of the user, which then sends the
malicious script to the user??™s friends, then a JavaScript virus/worm is alive and kicking.
Furthermore, since applications are not able to differentiate between requests that come
from a user verses those from XHR requests, it is difficult to distinguish between forced
clicks and legitimate ones.
To explain the issue further, consider a simple web page that will automatically force the
browser to submit a GET to a URL of the attacker??™s choice. The following page of JavaScript
Chapter 4: Malicious JavaScript and AJAX 105
uses the XHR function. When a user visits labs.isecpartners.com/HackingExposedWeb20/
XHR.htm, the XHR function will automatically perform GETs on labs.isecpartners.com/
HackingExposedWeb20/isecpartners.htm.
//URL: http://labs.isecpartners.com/HackingExposedWeb20/XHR.htm