Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.
According to Fortify, the other AJAX frameworks dont explicitly provide any protection, nor do their documentation materials mention the vulnerability as a security concern.
“The attacker can put code in a Web page,” he said. “If he can trick you into running it in your browser, your browser can look like you and act like you, but its not you; its actually shoveling data back to [the attacker].”
The text-based, human-readable format for representing objects and other data structures is mostly used to transmit structured data over a network connection.
Yahoo began offering some of its Web Services optionally in JSON in December 2005, and Google started offering JSON feeds for its GData Web protocol in December 2006.
Finding a Way In
One problem with JSON is that CSRF (cross-site request forgery) allows attackers to bypass the technologys cookie-based authentication, as DRWs creator, Walker, says in his blog.
Specifically, CSRF allows a user to invoke cookie-protected actions on a remote server, thus allowing “Mr. Evil to trick Mrs. Innocent into transferring money from her bank account into his,” Walker wrote.
Walker is a developer and runs a consultancy called Getahead.
“I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs,” he said in the same blog posting.
And more details from the Fortify paper:
Anywhere this vulnerability can occur, it does occur, Chess said, with the exception of in DWR. As for the major companies behind frameworks, most all said they will work on the vulnerability and that it will be fixed in the next version.
Microsoft, for one, told eWEEK that its MSRC is on this and that the company is investigating new public reports of possible vulnerabilities that occur in applications developed using the downloadable Microsoft ASP.NET AJAX framework.
A Microsoft spokesperson said that the company is not aware of any attacks attempting to use the reported issue or of customer impact at this time. Yahoo had not been able to provide comment by the time this story posted.
Google, for its part, has posted an article that shows developers how to prevent the vulnerabilities described by Fortify in all versions of the Google Web Toolkit.
“We plan to add additional, automatic safeguards in the next version of GWT, due out in the coming weeks, to supplement the security measures developers take on their own,” a Google spokesperson added.
These companies have been through the security flaw grinder and know better than to ignore vulnerabilities, Chess said. The problem is that many developers arent using frameworks from the big players at all—rather, theyre rolling their own. Unfortunately, many such developers havent yet embraced security as their responsibility—and its this thats prompted Fortify to start banging the drum on the issue.
“Most people dont know when they use these AJAX-style components [i.e., frameworks] that theyre at more risk,” Chess said. “We need to talk to the AJAX community about what the problem is and what they have to do to address it.”
The overwhelming reaction Fortify received from framework maintainers was that this vulnerability is a high-priority fix, Chess said.
Whats surprising is the few instances in which framework developers said that security wasnt their problem.
“It makes me really mad to think there are developers out there who are fielding code and who expect people who are going to use that code to figure out all the security ramifications,” Chess said.
Chess declined to name names, given that hes still working with them, trying to get recalcitrant developers to address the vulnerability.
The Array format is fairly commonly used and makes it easy to trick the browser, Chess said. Exploiting the vulnerability is all about having the conditions necessary to abuse the security policy implemented by a given Web browser. Unfortunately, Fortify found those conditions are fulfilled “a surprising amount of time,” he said.
The problem with getting developers to accept responsibility for fixing the vulnerability is easy to spot after comparing AJAX hijacking to, say, buffer overflows, Chess said.
How It Came to
Nobody knows if this vulnerability is currently being used to steal data. Thats because if somebody were using it for thievery, it would be undetectable, Chess said: “It very well could be being exploited right now and we wouldnt know it.”
As far as how to fix it goes, Fortifys paper gets into the details. In many cases it would take as few as a dozen lines of code. Whats of added interest, Chess said, is how the vulnerability came to be in the first place.
“Weve got Web 2.0/AJAX kind of guys who want to do things with browsers and HTML and … [they] really werent designed to do the work,” he said. “[Theyre using] hacks and kludges to make things work. Sometimes that has unforeseen consequences. You get cobbled-together AJAX.”
Whats needed are standards and protocols and Web browsers that support them, Chess said. The teams at Microsoft and Mozilla that maintain IE and Firefox are where “the rubber hits the road,” he said.
“Once they agree somethings a standard, its a standard,” he said. Theres a lot of people who try to influence them, but its really they we look to and take cues from.”
This vulnerability will likely further motivate standards setting bodies such as the IETF or the W3C, Chess said. Such organizations have often been where Microsofts and Mozillas people have come together to determine what will happen with standards and protocols.
“I think this will further motivate them,” Chess said. “Theyve known about problems in this neighborhood. … But I dont think theyve understood what a big deal their security decisions would be.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.