Furthermore there is a malicious web site on a different server, whos creator wants to spy out some secret data. Therefore the page contains a
tag with a src arttribute pointing to a URL to the above web application,
can only point to the same origin,
Thus by executing the mentioned
tag, for each new object or array the extension is called and has access
to the confidential data, which it can send (using another AJAX call) to
the malicious web server.
But there are a lot of preconditions to be met:
- A GET request must be possible, since
<script>tags always create GET requests.
- The user must call the malicious web page.
- There must be an open session or the user has to log in (we all know, some users will do this).
- The attacker must know the URL to call. This is the case for public services (like GMail), for applications, which always exists on certain web servers (like names.nsf), for known, commonly installed applications (like some widespread CRM products) or if the attacker has insider knowledge.
The new parameter
ReadViewEntries URL command, which
was introduced in Domino 7.0.2, is not affected, since it always returns
But for self created JSON - perhaps
in agents or HTML views - you should check, if you have to prevent this
There are (at least) 2 methods to protect
response, which cannot be executed directly. For example, you prepend
while(true);to the answer. In your client-side application you could easily modifiy the response before evaluating it. You could cut out the first line or just prepend
//, thus making the first line a comment.