Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    AJAX Apps Ripe Targets for JavaScript Hijacking

    By
    Lisa Vaas
    -
    April 2, 2007
    Share
    Facebook
    Twitter
    Linkedin

      Fortify Software has documented what the security firm is calling a “pervasive and critical” vulnerability in Web 2.0 applications—specifically, in the ability of an attacker to use a JavaScript vulnerability to steal critical data by emulating unsuspecting users.

      The vulnerability—which allows an exploit called JavaScript Hijacking—can be found in the biggest AJAX frameworks out there, including three server-integrated toolkits: Microsoft ASP.Net AJAX (aka Atlas), Google Web Toolkit and xajax—the last of which is an open-source PHP-class library implementation of AJAX.

      Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.

      Of the AJAX frameworks and client-side libraries Fortify inspected, only DWR 2.0 (Direct Web Remoting 2.0) has mechanisms to prevent JavaScript Hijacking.

      That isnt surprising, given that Joe Walker, who developed DWR, wrote about the JavaScript Hijacking flaw in early March.

      According to Fortify, the other AJAX frameworks dont explicitly provide any protection, nor do their documentation materials mention the vulnerability as a security concern.

      Brian Chess, Fortify Softwares co-founder and Chief Scientist, told eWEEK that the security firm is getting a ho-hum reaction from some regarding the news, since JavaScript has never been considered to be safe anyway.

      “Everybody hears, Oh, theres a JavaScript security problem, and everybody says, Oh yeah, everybody knows JavaScript is a security concern in itself,” Chess said.

      This, however, is the first type of JavaScript problem that Chess knows of that specifically targets AJAX-style and Web 2.0-style applications, he said.

      /zimages/4/28571.gifClick here to read more about JavaScript security concerns.

      Whats happening, Chess said, is that AJAX-style applications are dropping the X off of AJAX, which stands for Asynchronous JavaScript and XML. Thus, the applications are doing all their work in JavaScript, particularly using it as their data transport format.

      The gotcha is that Web browsers dont protect JavaScript as they do HTML or other protocols they transport. This allows rogue hackers to get hold of sensitive data that most developers think theyve protected, Chess said.

      “The attacker can put code in a Web page,” he said. “If he can trick you into running it in your browser, your browser can look like you and act like you, but its not you; its actually shoveling data back to [the attacker].”

      The problem specifically lies in JSON (JavaScript Object Notation), a lightweight data interchange format that for some time has been known to have security problems.

      The text-based, human-readable format for representing objects and other data structures is mostly used to transmit structured data over a network connection.

      Yahoo began offering some of its Web Services optionally in JSON in December 2005, and Google started offering JSON feeds for its GData Web protocol in December 2006.

      Next Page: Finding a way in.

      Finding a Way In

      One problem with JSON is that CSRF (cross-site request forgery) allows attackers to bypass the technologys cookie-based authentication, as DRWs creator, Walker, says in his blog.

      Specifically, CSRF allows a user to invoke cookie-protected actions on a remote server, thus allowing “Mr. Evil to trick Mrs. Innocent into transferring money from her bank account into his,” Walker wrote.

      Walker is a developer and runs a consultancy called Getahead.

      “I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs,” he said in the same blog posting.

      Walker said that another, less well-known flaw in JSON is an Array hack that allows malicious users to steal JSON data on Mozilla and any other platform with a modern JavaScript interpreter. This in fact is the subject of Fortifys recent work. Fortifys paper can be downloaded here.

      “JSON makes JavaScript Hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to JavaScript Hijacking. A JSON object is only vulnerable if it is wrapped in some other JavaScript construct that stands on its own as a valid JavaScript statement.”

      And more details from the Fortify paper:

      “Web browsers enforce the Same Origin Policy in order to protect users from malicious Web sites. The Same Origin Policy requires that, in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious Web site could serve up JavaScript that loads sensitive information from other Web sites using a clients credentials, culls through it, and communicates it back to the attacker.

      “JavaScript Hijacking allows an attacker to bypass the Same Origin Policy in the case that a Web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any Web site to be included and executed in the context of any other Web site.

      “Even though a malicious site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport mechanism, they are often vulnerable while traditional Web applications are not.”

      Anywhere this vulnerability can occur, it does occur, Chess said, with the exception of in DWR. As for the major companies behind frameworks, most all said they will work on the vulnerability and that it will be fixed in the next version.

      Microsoft, for one, told eWEEK that its MSRC is on this and that the company is investigating new public reports of possible vulnerabilities that occur in applications developed using the downloadable Microsoft ASP.NET AJAX framework.

      A Microsoft spokesperson said that the company is not aware of any attacks attempting to use the reported issue or of customer impact at this time. Yahoo had not been able to provide comment by the time this story posted.

      Google, for its part, has posted an article that shows developers how to prevent the vulnerabilities described by Fortify in all versions of the Google Web Toolkit.

      “We plan to add additional, automatic safeguards in the next version of GWT, due out in the coming weeks, to supplement the security measures developers take on their own,” a Google spokesperson added.

      These companies have been through the security flaw grinder and know better than to ignore vulnerabilities, Chess said. The problem is that many developers arent using frameworks from the big players at all—rather, theyre rolling their own. Unfortunately, many such developers havent yet embraced security as their responsibility—and its this thats prompted Fortify to start banging the drum on the issue.

      “Most people dont know when they use these AJAX-style components [i.e., frameworks] that theyre at more risk,” Chess said. “We need to talk to the AJAX community about what the problem is and what they have to do to address it.”

      The overwhelming reaction Fortify received from framework maintainers was that this vulnerability is a high-priority fix, Chess said.

      Whats surprising is the few instances in which framework developers said that security wasnt their problem.

      “It makes me really mad to think there are developers out there who are fielding code and who expect people who are going to use that code to figure out all the security ramifications,” Chess said.

      Chess declined to name names, given that hes still working with them, trying to get recalcitrant developers to address the vulnerability.

      In order to make the attack succeed, the browser must be tricked into doing something it wasnt intended to do. In some circumstances, this can be done depending on how JavaScript is formatted.

      The Array format is fairly commonly used and makes it easy to trick the browser, Chess said. Exploiting the vulnerability is all about having the conditions necessary to abuse the security policy implemented by a given Web browser. Unfortunately, Fortify found those conditions are fulfilled “a surprising amount of time,” he said.

      The problem with getting developers to accept responsibility for fixing the vulnerability is easy to spot after comparing AJAX hijacking to, say, buffer overflows, Chess said.

      The industry has known about buffer overflows for decades and is usually prompt in addressing them. The problem with JavaScript/AJAX/Web 2.0 security flaws is that there has been no strong message going out to software developers regarding security being their responsibility, Chess said.

      “With JavaScript, enterprises are still in the early phases of adopting early programming techniques,” he said. “We have an opportunity to get in front of the problem. Before it becomes a widespread” insecure programming practice, he said.

      Next Page: How it came to be.

      How It Came to

      Be”>

      According to Fortifys paper, applications may be vulnerable if they use JavaScript as a data transfer format and if they handle confidential data.

      Nobody knows if this vulnerability is currently being used to steal data. Thats because if somebody were using it for thievery, it would be undetectable, Chess said: “It very well could be being exploited right now and we wouldnt know it.”

      As far as how to fix it goes, Fortifys paper gets into the details. In many cases it would take as few as a dozen lines of code. Whats of added interest, Chess said, is how the vulnerability came to be in the first place.

      “Weve got Web 2.0/AJAX kind of guys who want to do things with browsers and HTML and … [they] really werent designed to do the work,” he said. “[Theyre using] hacks and kludges to make things work. Sometimes that has unforeseen consequences. You get cobbled-together AJAX.”

      Whats needed are standards and protocols and Web browsers that support them, Chess said. The teams at Microsoft and Mozilla that maintain IE and Firefox are where “the rubber hits the road,” he said.

      “Once they agree somethings a standard, its a standard,” he said. Theres a lot of people who try to influence them, but its really they we look to and take cues from.”

      This vulnerability will likely further motivate standards setting bodies such as the IETF or the W3C, Chess said. Such organizations have often been where Microsofts and Mozillas people have come together to determine what will happen with standards and protocols.

      “I think this will further motivate them,” Chess said. “Theyve known about problems in this neighborhood. … But I dont think theyve understood what a big deal their security decisions would be.”

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×