News

JavaScript 'Hijacking' Vulnerability Not Expected To Dampen Enthusiasm for AJAX

A newly announced security vulnerability in AJAX-based applications will place added onus on development teams to avoid such threats, but observers say the finding is unlikely to slow AJAX's rapid growth.

AJAX applications are susceptible to "JavaScipt hijacking," allowing unauthorized individuals to read private content within JavaScript messages, according to Fortify Software, a Palo Alto, Calif.-based supplier of threat identification and remediation tools.

Fortify reported on Monday that of 12 widely used AJAX frameworks and eight client-side libraries the company evaluated, only those based on DWR 2.0 (supported by TIBCO) offer measures to prevent JavaScript hijacking. The vulnerable properties include Microsoft's ASP.NET AJAX tool (code-named Atlas), the Google Web Toolkit and libraries such as Prototype, DoJo and Yahoo! UI.

Brian Chess, Fortify's co-founder and chief scientist, says developers shouldn't shrug their shoulders at the news simply because it involves JavaScript, which has a history of browser-based security problems. "It's not a new name for an old kind of problem. This is a new JavaScript-related problem that arises in AJAX-style applications," Chess said.

AJAX, which stands for Asynchronous JavaScript and XML, allows developers to add interactive capabilities to Web content by exchanging small bits of data between the browser and the server. It was popularized last year by applications such as Google Maps, which allow an individual to put their mouse on a location and access more data.

An attacker can pose as a victim by communicating with a Web site that may have confidential customer or employee data, Chess said. "This problem appears to be ubiquitous," he asserted.

Forrester Research analyst Jeffrey Hammond said it is possible a large number of AJAX applications are vulnerable to this threat, but it can be easily remediated by not letting private information be transmitted from a server without appropriate authentication.

"If you have an active framework with a lot of developers involved in it, it should be relatively easy to fix this loophole," Hammond said. "But if the framework is not very active and not being updated rapidly, you may have to implement a workaround and kind of do it on your own."

Chess said the workaround is fairly straightforward and that in many cases, toolkit providers will only have to revise a few lines of code. Fortify has already alerted the toolkit and framework vendors affected and many have said fixes are coming within weeks.

One that did not commit is Microsoft, Chess said. "Microsoft moves at Microsoft speed. They've registered this in their security system and they will patch it when they patch it," he said.

Microsoft declined to discuss the issue but issued a statement saying its Security Response Center is investigating. "Upon completion of this investigation, Microsoft will take the appropriate action," the statement read.

Jon Ferraiolo, a Web architect in IBM's emerging technologies group and chairman of The OpenAjax Alliance, says security is among the 70-plus company member group's key objectives. Among the key issues the alliance will take up is education about best practices.

Developers should avoid obvious pitfalls, such as putting third-party content into an application without verifying the provider of that content. "You have to be careful with the way your server side is set up if you want to have a secure, browser-based deployment, AJAX or otherwise," Ferraiolo said.

Like others, he says Fortify's finding won't have a chilling affect on AJAX development. "There's all this AJAX going on right now," Ferraiolo said. "This is not a show-stopper."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.