Fortify Research announced Monday they have released a report on JavaScript Hijacking. This new class of web vulnerability according to Fortify, targets Web 2.0 AJAX-style web applications. AJAX stands for asynchronous JavaScript and XML; you see it on sites like Google, Yahoo, and MSN. The usage is still low and only a few major websites that take advantage of it. With the growth of new development on the web that is bound to change, and because of that, AJAX is at risk Fortify says.
The problem lies in using JavaScript as a transport without considering security the report says.
“With recent surveys from McKinsey indicating that almost seventy-five percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now,” said Brian Chess, Fortify Software’s co-founder and Chief Scientist.
JavaScript Hijacking appears to be a widespread problem. As part of Fortify’s work, the twelve most popular AJAX frameworks were analyzed, including frameworks from Google, Microsoft, Yahoo, and the open source community. Fortify determined that among them, only Direct Web Remoting (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The other frameworks do not provide any protection nor do they mention any security concerns in their documentation. Even if an application does not use any of the tested frameworks, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data.
In the news you have seen JavaScript related exploits and attacks on websites. MySpace was victimized by the Samy Worm, which used AJAX to spread, and compromise user’s accounts. (It spread adding itself to people’s friends list. Harmless at first glance, but it demonstrated a serious JavaScript flaw in the websites code.) More recently, JavaScript was used by attackers to plant redirects into legit websites redirecting users to malicious webpages, and linking to the compromised websites in spam. Each of these examples is related to JavaScript Hijacking.
“Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings,” added Chess.
As an example, this vulnerability could open businesses up to malware that can allow an attacker to access sensitive information Fortify said.
“JavaScript Hijacking allows an attacker to pose as the user accessing the Web 2.0 application. Once the attacker successfully emulates the victim, they can read sensitive data transmitted between the application and the browser that uses JavaScript as a transport mechanism. These attackers can then buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory, and financial information.”
“New technology often leads to new risks and opens unforeseen avenues of malicious attack. Once understood, developers need to ensure the necessary safeguards are in place when they break new ground,” said Jeremiah Grossman, CTO of WhiteHat Security. “Those responsible for the security of Web 2.0 deployments need to take this issue seriously and implement the steps necessary to resolve the issue before the risk results in an incident.”
Your Talkback on this Story