The exploit combines Cross Site Request Forgery (CSRF) with a JSON Array hack allowing an evil site to grab sensitive user data from an unsuspecting user. The hack involves redefining the Array constructor, which is totally legal in Javascript.

http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

I’ve found a while ago that you can put pretty much any URL on a script tag and the browser will download the content right away, whether it’s javascript or not, as long as the type attribute in the tag is set to ‘text/javascript’.  But although browsers download the URL content and place it inside the script tag, you can’t get to the content from Javascript (using innerHTML, for instance). Or can you? Apparently, Firebug can, at least on the HTML tab. I’m not sure if Firebug has direct access to the DOM, other than through Javascript, but I hope that is the case.

Related Posts:

• February 19, 2010 -- Having fun with Mooml & Twitter (0)
• July 30, 2010 -- Titanium Developer: love and hate (2)
• July 20, 2010 -- Little tricks: string padding in Javascript (2)
• July 1, 2010 -- Little tricks: editing strings by index in Javascript and Python (1)

Good to know :)

Related Posts:

• January 19, 2010 -- Firefox 3.6RC2 & Firebug 1.6a (0)
• November 30, 2008 -- Injecting javascript with Firebug (0)
• May 14, 2010 -- Interesting JSON vulnerability (old stuff) (0)
• January 27, 2010 -- Detecting when CSS gets loaded by the browser with Mootools and Asset.css (0)

Either way, don’t miss Firefox 3.6RC2 with Firebug 1.6a!
http://www.mozilla.com/en-US/firefox/3.6rc2/releasenotes/
http://getfirebug.com/releases/firebug/1.6X/

Related Posts:

• January 20, 2010 -- Debugging cookies with Firebug 1.5/1.6 (0)
• November 30, 2008 -- Injecting javascript with Firebug (0)
• May 14, 2010 -- Interesting JSON vulnerability (old stuff) (0)
• January 27, 2010 -- Detecting when CSS gets loaded by the browser with Mootools and Asset.css (0)

Here is the code I used to highlight the fields (I had to do it in prototype only):

Prototype JS:

jQuery:

$('div').css('border', 'solid 1px red');

Mootools:

" style="vertical-align:-20%;" class="tex" alt="('div').each(function(item){  $(item).setStyle({ border: 'solid 1px red' });});

jQuery:

$('div').css('border', 'solid 1px red');

Mootools:

" />('div').setStyle('border', 'solid 1px red');

PS: Note that by adding a 1px border to all divs in the page, the page layout will be affected and some items may display improperly. Of course, you can use other colors than red :)

Related Posts:

• November 30, 2008 -- Injecting javascript with Firebug (0)
• September 2, 2009 -- Creating HTML blocks with Mootools (3)
• November 29, 2008 -- JS.Class: a very nice object oriented approach (0)
• May 14, 2010 -- Interesting JSON vulnerability (old stuff) (0)

Here I am loading the jQuery library from my own server, but I could load any Javascript from any server on the net. The best is this will work on any website, whenever you have access to the server or not. Once you have the Javascript loaded you can use it right away. For example, here on this blog I could use jQuery to check how the header will look if its height was only 100px by running the next command on the console:

Yep, it won’t look very good, right? Try it! You have to see it by yourself. Firefox is great. Firebug is awesome. And Firebug’s Javascript console is the best thing ever!
PS: In case you are wondering, the Javascript file injected will exist only on the current browser session.

Related Posts:

• December 2, 2008 -- Highlighting elements with Firebug console (0)
• January 20, 2010 -- Debugging cookies with Firebug 1.5/1.6 (0)
• January 19, 2010 -- Firefox 3.6RC2 & Firebug 1.6a (0)
• May 14, 2010 -- Interesting JSON vulnerability (old stuff) (0)