1 / 19

GIF89a Ajax Binary Hacks

GIF89a Ajax Binary Hacks. - How to break same-origin-policy -. id:TAKESAKO Cybozu Labs, Inc. <takesako@shibuya.pl>. Ajax GIF89a. How to break same-origin-policy. (Parallelize cross-domain access). GIF89a Binary Image Object for AJAX communications Protocol.

macon
Download Presentation

GIF89a Ajax Binary Hacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GIF89a Ajax Binary Hacks - How to break same-origin-policy - id:TAKESAKO Cybozu Labs, Inc. <takesako@shibuya.pl>

  2. Ajax GIF89a How to break same-origin-policy. (Parallelize cross-domain access) GIF89a Binary Image Object for AJAX communications Protocol

  3. How to cross-domain access by Ajax • 1. XMLHttpRequest(XHR) + Local proxy • XHR doesn’t support cross-domain access. • Local Proxy (breaks crossd-omain access) • Performance problem (proxy overhead) • Security problem (open proxy) • 2. Flash + crossdomain.xml • e.g. SocketJS implementation • 3. JSONP • <script src=“*.js?callback=func”></script> • 4. GIF89a Binary Image Object • Parallelize cross-domain access

  4. (1)

  5. XMLHttpRequest(XHR) + Local proxy • XHR • doesn’t support cross-domain access. • Local Proxy • breaks cross-domain access. • Problem • Performance problem • (proxy overhead…) • Security problem • (open proxy…)

  6. (2)

  7. Flash Player’s cross-domain-policy • http://server/crossdomain.xml <?xml version="1.0"?> <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"> <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>

  8. (3)

  9. about JSONP <script src=“http://example.com/data.json?jsonp=callback” /> callback( { foo: 'This is foo.', bar: 'This is bar.', moe: 'This is moe.' } ); (1) Define JS callback function function callback(data) { // … do action } (2) Create a script’s element by JavaScript/DOM (3) Response from Server Response data

  10. (4)

  11. GIF89a cross-domain access protocol (1) Define JS callback function (likes JSONP) function callback(data) { //… do action } GIF Image size! (2) New Image Object <img src=“null.gif?q=param" onload=“callback(this.width)"> CGI is OK http://example.com/webapi/null.gif?q=foobar

  12. return 2 x 16 = 32bit (over cross-domain) • Server Side program (Perl example) #!/usr/bin/perl use strict; use warnings; sub create_gif { my $size = pack "S2", @_; return "GIF89a$size\xf0\x00\x00\x00\x00\x00\xff\xff\xff," . "\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02L\x01\x00;"; } print "Content-Length: 35\n"; print "Content-Type: image/gif\n\n"; binmode(*STDOUT); print create_gif(65535, 65535); 1;

  13. Classical C example for old type putchar(','); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x01); \ putchar(0x00); \ putchar(0x01); \ putchar(0x00); \ putchar(0x00); \ putchar(0x02); \ putchar(0x02); \ putchar('L'); \ putchar(0x01); \ putchar(0x00); \ putchar(';'); \ } while (0) #include <stdio.h> #define print_gif_head() do { \ printf( \ "Content-Length: 35\n" \ "Content-Type: image/gif\n" \ "\n"); \ } while (0) #define print_gif_body(x,y) do { \ putchar('G'); \ putchar('I'); \ putchar('F'); \ putchar('8'); \ putchar('9'); \ putchar('a'); \ putchar(0xff & (x)); \ putchar(0xff & (x >> 8)); \ putchar(0xff & (y)); \ putchar(0xff & (y >> 8)); \ putchar(0xf0); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0x00); \ putchar(0xff); \ putchar(0xff); \ putchar(0xff); \ int main() { print_gif_head(); print_gif_body(65535, 65535); }

  14. It works!

  16. GIF89a - Cross browser technique 20 byte 35 byte +-----------------------+ | +-------------------+ | | | GIF Signature | | | +-------------------+ | | +-------------------+ | | | Screen Descriptor | | | +-------------------+ | | +-------------------+ | | | Global Color Map | | | +-------------------+ | |- GIF Terminator -| +-----------------------+ +-----------------------+ | +-------------------+ | | | GIF Signature | | 5byte (GIF89a) | +-------------------+ | | +-------------------+ | | | Screen Descriptor | | 7 byte (width x height) | +-------------------+ | | +-------------------+ | | | Global Color Map | | 6 byte (2 colors) | +-------------------+ | | +-------------------+ | | | IMAGE DESCRIPTOR | | 15 byte (1 x 1) | +-------------------+ | |- GIF Terminator -| 1 byte (;) +-----------------------+ IE cannot load only GIF header.

  17. Good old days technology for AJAX 2.0 • GIF • GIF87a(1987-) • GIF89a(1989-) • XML • W3C(1998-) • JSON • RFC4627(2006-) 20 years ago… Binary LOVE

More Related