JavaScript Hijacking Vulnerability Identified

Fortify Software has announced that its Security Research Group has documented a vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed "JavaScript Hijacking," the vulnerability lets attackers steal critical data by emulating unsuspecting users.

JavaScript Hijacking appears to be a ubiquitous problem. Fortify examined 12 AJAX frameworks, including those from Google, Microsoft, Yahoo!, and the open source community. Fortify claims that among them, only Getahead's Direct Web Remoting (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations, says Fority. Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data.

"With recent surveys from McKinsey indicating that almost 75 percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now," said Brian Chess, Fortify Software’s co-founder and Chief Scientist. "Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."

The vulnerability opens businesses up to malware that can let attackers access proprietary information. JavaScript Hijacking lets attackers pose as the user accessing the Web 2.0 application. Once attackers successfully emulates the victim, they can read sensitive data transmitted between the application and the browser that uses JavaScript as a transport mechanism. These attackers can then buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information.

Any framework or application that meets these criteria may be at risk from JavaScript Hijacking and the developers responsible for these frameworks and applications should take immediate measures to prevent the vulnerability, says Fortify. The company advocates a two-pronged approach that lets applications decline malicious requests and prevent attackers from directly executing JavaScript the applications generate.

Posted by Jon Erickson at 04:05 AM  Permalink