Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


AJAX Apps Ripe Targets for JavaScript Hijacking



 By: Lisa Vaas
2007-04-02
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. AJAX Apps Ripe Targets for JavaScript Hijacking
  2. ' Finding a Way In '
  3. ' How It Came to '

Rate This Article:
Poor Best
AJAX Apps Ripe Targets for JavaScript Hijacking
( Page 1 of 3 )

A pervasive vulnerability that allows an attacker to take over any Web browser and silently intercept sensitive data input occurs in Web 2.0 settings from Yahoo to ASP .Net to Google, security firm Fortify says.Fortify Software has documented what the security firm is calling a "pervasive and critical" vulnerability in Web 2.0 applications—specifically, in the ability of an attacker to use a JavaScript vulnerability to steal critical data by emulating unsuspecting users.

The vulnerability—which allows an exploit called JavaScript Hijacking—can be found in the biggest AJAX frameworks out there, including three server-integrated toolkits: Microsoft ASP.Net AJAX (aka Atlas), Google Web Toolkit and xajax—the last of which is an open-source PHP-class library implementation of AJAX.

Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.

Of the AJAX frameworks and client-side libraries Fortify inspected, only DWR 2.0 (Direct Web Remoting 2.0) has mechanisms to prevent JavaScript Hijacking.

Resource Library:
That isnt surprising, given that Joe Walker, who developed DWR, wrote about the JavaScript Hijacking flaw in early March.

According to Fortify, the other AJAX frameworks dont explicitly provide any protection, nor do their documentation materials mention the vulnerability as a security concern.

Brian Chess, Fortify Softwares co-founder and Chief Scientist, told eWEEK that the security firm is getting a ho-hum reaction from some regarding the news, since JavaScript has never been considered to be safe anyway.

"Everybody hears, Oh, theres a JavaScript security problem, and everybody says, Oh yeah, everybody knows JavaScript is a security concern in itself," Chess said.

This, however, is the first type of JavaScript problem that Chess knows of that specifically targets AJAX-style and Web 2.0-style applications, he said.

Click here to read more about JavaScript security concerns.

Whats happening, Chess said, is that AJAX-style applications are dropping the X off of AJAX, which stands for Asynchronous JavaScript and XML. Thus, the applications are doing all their work in JavaScript, particularly using it as their data transport format.

The gotcha is that Web browsers dont protect JavaScript as they do HTML or other protocols they transport. This allows rogue hackers to get hold of sensitive data that most developers think theyve protected, Chess said.

"The attacker can put code in a Web page," he said. "If he can trick you into running it in your browser, your browser can look like you and act like you, but its not you; its actually shoveling data back to [the attacker]."

The problem specifically lies in JSON (JavaScript Object Notation), a lightweight data interchange format that for some time has been known to have security problems.

The text-based, human-readable format for representing objects and other data structures is mostly used to transmit structured data over a network connection.

Yahoo began offering some of its Web Services optionally in JSON in December 2005, and Google started offering JSON feeds for its GData Web protocol in December 2006.

Next Page: Finding a way in.





  Reader Comments: AJAX Apps Ripe Targets for JavaScript Hijacking
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}ks㶲*Q3CO#dK+c[>f|&UZ$CR~${rkdrw-`n4w~vv IM˙sל۔\sPç v$5wv]2i* d&@ jہ)}mk4 uB;;#|6S%߽w *s=NN5KԚLÆ|g&$Ʈl dkdp,FcwO5d{=B ~5[6m(GJŻ?KE!wO׶Cշ8>vP ߩUaÙO,}!*{> e%k4݋ʏIGO(ɀYFz.Qu^Vٮq4]b'*cO^3jc㥨 aP`\9t} G&lw&"ScO$ӡNfI%p'0Q#@ڮSVHf̲;o tG ob}uק&[! bS 3MuN_FBԿ¥05?GN8CEnOU[۾twy@frt˜HJ&ԃ)}(p}=\'BL}:n/EӝÌfؖqSth(͡V*Z]QKru_):?Wwcwm9{ 2+ѹkL(eu7ٺsm%k%m{|NsvN5yvty/ȯ;YHM~c/DJ V,D-ԁNVP? uΑkQ2[-_ Kj%٥~hY̞ofVҘ gUUYA[~6t.˫nCӣnl,aV4*2V]鮘ȏAժ}|qݽhwEڝONY; i fɗV\vO|g6~b M u ôW+ZvxC!u{L ,_e=h!_w nr@ i/]"{,Y`MImdƩ$|ǺzNԜYu*į`KS7B3I_sQ8nZK0[RF\ ДQ#|`Mab&DJH?є6-`i˫ TE嗋mESq>]Q4{3Bɭ`g@ɋ BD4?CC0!pl/\~L.ãQwWڲ9Q[ kK\M흚ǘ\zL'UM~?wLqJjhX.B2iKB0pkꛛZϏRa^TU G&-d`q86acJݤc}nE=aAgIy|FMk>ktI=DC#ɠ:ڴ;\VS4!&-Ѐ 'pbdx: # 0f4mLH#AтMtT8n]`2Z9ܹ L& zVtc` VGPC!nH }P(Vr`{nȲc@|j JG@i0xzۢ dSJJd$D!-i]R@Az< -,rrl++~#~vGBj+6ODs@PGҙ;qjr_)̄rZ z)2ٜʬ$3Mf X*ȉ#o"0%X ,gZ Xk5沭UKZ%m *МLBĕ~EQmҧF(+<:gS<rH::79O: V!0\ zT30`-e?#{_=)V}faT5Clq-Z ;vm۽˧ sDq,-CZ!3`mpbZ FZ.L"fAqA029?\􆕟fc2AA+p& >AkwYgȲJu'6$\]Rj)2LZ(6A`eLI^txOCFM@X G\d0!QP\Q0.#_L_LU1(TOnƻhCz X]L,',PЧGk]W9,#߬0hh<]HzT%'VUJj5x]1*(Si)7~g2-sgeH): gn-%s3/Gx 1{h'0^+V`@|V_Q>]Ik0 3le`Sxt$ b*亢#?݀΍n/Џ]MtAkY, ܠYCaiϖ}^.y~R%'؂ _k56 nE`9]P˶SN+X@8u4[\ZW` > ~6F8fƏaf4X[ %}vWc7g)h"QkF:FdDCtΈ+6Rj*k};`[%Jk欭x+,s Jb+ʹV(EcZUz|ylƵYd{E3pS<ڪ+_Nˀey ڛZIg`g\Ukhx9C[B<$5r?_mߺ!܏r<7L M}VD TQW5BdLfaNg1¥0ck&&w%9*<l:k.`=z{Gq3?-YE:&+琩osC/ ƻ~rnAf ƫ|8)FΕ 6,Wf14D|\D"́<08h#2"n=%`n /.I7aOn:RJ r=cte>ugc5Z:<*Cz)cʜeo(SYmq'&F.҂^]fRv^LlvLTSdTRaƭrV/\f8C+`WRjjv L*Go&ŏh(urN3HC> PjQʠˏ}b*kZQR^?*KZbmwL lJq~XC τkx~E 6 2j=kR/ԕMOe%3Eq1쎸8DX=xd6 ѣ5Cv53up0NIlyVc6f&}agMٸU V|eZ]J֟E'fLt(|cO uṚo{{k7÷ GL)߭~*9WIH5 ]Uj; ss4G\0BR1|ʢ'r ]N7._VZiva *s>PV9ɷonjC<8 +A񷠐n)ɑ$ |*ͤ D봮OM1k0fhRbA1fF<$FMT!PR2.v3 \/D]s>\zF_j,r9EψaZ4ZS_Ί0 Z`!1ߐtxPVC (ʡ=``Vvy .g@ @Anp+z!NU HE*e4ДKe=:MRB'Դ5˓4/iY(Eqjhdꒈ~~ i&'ءXԛ_.6'8 $O kzisq/P{~%yt2ű2kE9e85(AuMHmQFiIg֢Ѭ]}+ ɏh : 3e!Z & 2Ӣ_,wг5^fZ{Er@gFq?Imظ2U(sX6 }=˲yӅc `Сw';v$st7g&Ս)A0n=w>=`LM\g7hNPD(Vp%h* Xw= Zt VdcRxa9yh3riEo@Zgi]|&G_ |3$?[Э>y{ho&|)'A֚uhaJofm6Şa4 ݣovV:}i?vݷ;޽s¶"CWq k: -`* 14DhH^m X"2NIJa'>4|dM#}9Jf94hɘAxl7B_7nC]pb]s!T x:`o~ˤaW*]c{*{7wﰧ]VZtC.qB1nVd/)&%ΒE L OKt1ڬ/ۥ{HkYXdbSOٞo ?֘ '|Ȟ8^C|Syg!,daзF0[)-)$Ιd<J;omoݍnL M A;&JX<[N>۴ rUCaC_:(0i0pDa$\}5 ߈;6bE#Ɠtǟ-c򽱢rp:ip*9;_PE?\=3q Fȗqi+"@wыK\-1-Z]Mgֈe[Q32OrYfCS*X_Ǥ}bOO\NAa njZ8Dx@zx3q'ݞ _pjVGsX}!-\?$;oi@.A3>c>W'n)o}ih3i-u;7xĤ?&j|q~(W|ޱDe>i[++fN!bZ8W&Νi(1mwcN=ˈ{e f@ue"C]f>PSG\+d(΁,\3AI 0,>sH(M2䤦XU'\:A/i!6 렳,+&Davc"P2YގmSFh'5XR1f}tR.cl?+ep.ىGRbn2_)H2~) W݂šs:Y6R ȅK׈xm=nYb3t+J*MRLtRRpӹ`6 @ЌJQ..10g# @ ^yRdf3̛ݖ*nPfGoԲy;rS| q1lw$q'U9#0 E`_5=6Y@lzuIه9nS֫ckWЀ7)4IH̟v~_av}:RB44qm%8L1! u`%H6&kCo& HDN=$_%kAs+/DjϦV6Ww8_u>u;R>~K%Eh+ST5އ>)a63_r^{IbjlC67'Q3.%a2rDž:䎣a>װn!(0JΠ<2.µeޢx[ܮPy)^v 2: Uo‹LUe >o3q!"S "I )_*ZD3^ސ^ݿ+ئc% B@:tqO$sbH0qqmE,"g/Lے*'!W^iVr]&gS^ ^->"Vz1fk1j-Z.߼߼߼߼_h\gTT:x\А%p|.\ַì ]ѻD~^ "0M |LTi09p 6%5ra?׃ ֏Iifհ `SěV|}Wa`M#y׼rLaEH5:~܏C#X 0? 8CV7Tn\>|JnoU: a'"$zmNDZlnTj"27P0FCyΌQ9aFvgca^#;(gQ7irQkiwU̿E_MqmnZ=J+f+*O~OI >:xS@s?F z@"59o~675%_睿CwVhl|+-Nx;GbhwXk@nEM+#E.WW/rA蹞nQ_Hf&tȸm}u<;-3ً xmMo qP;6;7oAvjcm"㵙v=mVx{7isO`W۰:pXʼnwy0m-mĬә{KR+eyX -}-w{ۀM~܃yGYKj|ubMf4t86gokf3&e<+ m~yj$=N98X"O}@5.fF3h έko(jc {r闶QpCV-Iv O *`ϵl{;hO7f>#b1DKb@/j֐]]g˜ .t#PLcGxqsR9cT"(8EP)*=6i[ nI]E a!/(/ne~aI{5I&{ǘ$ ^9q}EMm&^ kQ< W'flZO'p.4XDJ Ň!^)G K&5\Iee3-t{ ('b"ΙTh,ZNtUĥkc.ZMWWK.KBG2K*ߕlW1f.tOHk˜xn<vlNz ԣ:BMEnŗVTU"jp?b\y z G>)fF<@&Lvh;bj=Vںq)y,y-J J#gxٹ5>> ՗>-,'c0/';`^hR?+ Ra ):MkWdO}TK[RJH`o2?o(?q'%<z1W-fgqM@gJwS4H v0J7GIxo/5!oI{m >:bٮg60ډJ Jݫ9?2RmFέNrE뛫uW١Z`3+nsl+ZKɶ8+YlwAQgg)q8 @ȩ莥r/t G Ki~RJHuTW"Yu?lgǨ zJ =0]LaL_ňVSR>dDk9mǖA&׈1cڄCE^+@ZBB(YYv' o.'G>Wov/?VHzՕݷod}extJ":rG:-ói#:&  ):T]БܟޔjmO*oIgO4}A6ڄyiǥ4YgMr+ǯh\ixc#~k3dw rF@YfOGP56WD:iv;\:A窏V|wB wtq/?ыN;fL@Nzl0W^ Fk:*|e1u1"!G\oX|J7b75|$rkIC9 1W}e_)a#{~L-ǣ D"Ŵ"c)41GJ[!1}s? UϤt:pxXҚ0!<RAA26mDRRictkXaٌ{ɍwK2R?LQXj*!b3wاX,/ }Nh $U,N^B "PF: 1C(~jJ͍$u~6p"(3[]ă0>]w730lMqW'Ag#jix`b\]:ovN5j' H=:y s!aZ;:)QB<ⱴP <'/87,Xzoj Bh),f,՚RD&u]C !2,S=VJT<AuLT]q)UH+^@0Q3:%{$$ ͈u0՝[h]^}&'+"'W<_u/9oW[u|ܻ|ҽ\^u/扅/1 kyl2/*(H\;NSʙ~oSgµ,,^;KwE 3@cqq^ L;O;8{Rf}Y QJNi21Sj:OֆC|~ƫx]jy5sλmx9n0}P܄ṍ @1@C|uw)4#z_m;9B9WP~)Ay/9} 4hwrʏx} $>s#\_~-4O˻B_[3݋r7~Ng( ٮy3>y<><@99y^ ?唟BiN/PKN9^E\]_O/G@r%e\9_\O997's}G௏9 ?~rCk(+kh:kKu3Ay+GZpz~;29)G9R{WK}(gUsV^Va{CjGU_?Gޫ@I{ykR+ ]q%3-{ᘴ[˺rPKȣ_xi +{Iy@ⅇW4:<)X9vFnmţu.TVl<-t&n\ef(/@FA@ac>~FsU?f69x|fOCvHu6lﰇ|(O6Tq< 5RYu8% H-MԳpNs ;wEm=SHNWnޣ97w&ڞn )xT-kZYoZԪw俓+$2 G0q]HMjJ]Nlժ~\,)g /(@#غ7M{%}C7":fȳRLq u+J!'\Cx'!̫2fdof2EaSOp^Wv"H@0~Y8P&`!؞.F^G$w -qyjI2hؐM ؒ9N-#G1N>@%M™x",O~f+g-ԛsOn 4@[4Dr(9Pų l1@ҙ z9׽tLdp!gB-ҋKlY@eD˺U暼B` j?5n%c$Q/%נ/ɉ|![<0BRhfNY( 8[]^NȇA mX<apb2 BLw u xn'qgT-̸&nl-g.Oc*ˤ汧" I6ИYLCƊvsFF{8u1<̡Pnl@PJmXnbaP'ʞq}|8=;zlF"bvܙ%b,H_[l,)1 {;Kh64s `.=C{)B9O咤 X3W]dA_d|bOhŵ+o.TùLH Д2[`}aCm5eԦu"v/Iߵ98q ł!نIf[Wuv=G"2cT =w`?GcБ2wRSX^ Ղ]#r/.IDπjUM$f@gQl(VxR@|{[o݅[\D)(~QVUPS"ㅰx/!ZQy|XT ,sD<>K:cxCq޴EcHPWWݜ햏 Xo| 8jO.d6CF|gK 1D/7ag} r@c]T1ng`SwDl .7(.O]& xWa!*e;1KMP`O3!w>G}d ȑ( l}i.͜GK@g0mҕh_ɬnq7V0] c/1+$~Il=bu{-Wrcd+xf:PEXl+R+Kei$Vi/ >n)ZF#,c ԭ<P8_CAc.vjmnFQXƺa#¶u4mѩoߩn^SQa[O_<.tcb,LڙFX<޳sW=?5zl3ǿall,eH}+qd.GDI Ik.-wvua4,Lb9"[^'QI 8`RжX3"@a)5z`n~3 f<˜4W6QĶqynuҵ-˱=U)xlw6k+Ȁ7HY[D,5Ra:(= zBk|FXKג r7umr?{]9,M c|Rc9zafr[W`0Z.<,(`F,KEv$8ґCA؞Bʄ>e31#7Dn0Br;H d[H_مtv3\j)/YH~1 <99.@OI"cXM1}a`|L2<'\B1,#6ŠN|]t1Nʓ@:iw>J{`g~NTvQKeVnw/ާ+e=;`ons gs7*Ѡ,jU z' l5mEgl3W'J^R۝wz"f/ROa6%s|N1VKi+^ϦO*L㇅ wm&l2)v}mb-c6C-;~u *