What is a cross-site E4X hijacking attack?

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

What is a cross-site E4X hijacking attack?

Post by luntrus » Thu Oct 15, 2009 9:27 pm

Hi forum friends,

I went here: http://popwatch.ew.com/2009/10/14/john- ... nniversar/
I saw this in the error console:
Error: [Exception... "'NoScript aborted redirection to http://img2-short.timeinc.net/ew/static ... js?ver=MU' when calling method: [nsIChannelEventSink::onChannelRedirect]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]
====================
[NoScript] Potential cross-site E4X hijacking detected and blocked (http://www.ew.com/ew/js/main/0,,,00.js?ver=MU)

The site, that one at popwatch gives me a ghostery alert for 6 trackers, yes 6...

AddThis
QuantCast
Quigo AdSonar
Revenue Science
Tacoda
Wordpress Stats

RequestPolicy report a secret link from Wordpress.com to TimeInc.net

Just was curious enough to look under the hood, found this as background info:
http://www.thespanner.co.uk/2009/02/24/ ... hijacking/

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre

User avatar
Giorgio Maone
Site Admin
Posts: 8830
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: What is a cross-site E4X hijacking attack?

Post by Giorgio Maone » Fri Oct 16, 2009 11:07 am

E4X support may theoretically be exploited to read the content of XHTML documents cross-domain by using a <script> element, violating the same domain policy.
Thereofore NoScript blocks any markup document being loaded as a script.
In this case, though, this feature has been triggered because the original script request has been redirected using a non-empty XHTML response, instead of just the header.
This is not a correct behavior by the server, IMHO, however I'm changing hijack checks to work on final non-error responses only (i.e. 2xx status codes), rather than trigger on error or redirection pages like in this case.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

Post Reply