News
JavaScript 'Hijacking' Vulnerability Not Expected To Dampen Enthusiasm for AJAX
- By Jeffrey Schwartz
- April 03, 2007
A newly announced security vulnerability in AJAX-based applications will place
added onus on development teams to avoid such threats, but observers say the
finding is unlikely to slow AJAX's rapid growth.
AJAX applications are susceptible to "JavaScipt hijacking," allowing
unauthorized individuals to read private content within JavaScript messages,
according to Fortify Software, a Palo Alto, Calif.-based supplier of threat
identification and remediation tools.
Fortify reported on Monday that of 12 widely used AJAX frameworks and eight
client-side libraries the company evaluated, only those based on DWR 2.0 (supported
by TIBCO) offer measures to prevent JavaScript hijacking. The vulnerable properties
include Microsoft's ASP.NET AJAX tool (code-named Atlas), the Google Web Toolkit
and libraries such as Prototype, DoJo and Yahoo! UI.
Brian Chess, Fortify's co-founder and chief scientist, says developers shouldn't
shrug their shoulders at the news simply because it involves JavaScript, which
has a history of browser-based security problems. "It's not a new name
for an old kind of problem. This is a new JavaScript-related problem that arises
in AJAX-style applications," Chess said.
AJAX, which stands for Asynchronous JavaScript and XML, allows developers to
add interactive capabilities to Web content by exchanging small bits of data
between the browser and the server. It was popularized last year by applications
such as Google Maps, which allow an individual to put their mouse on a location
and access more data.
An attacker can pose as a victim by communicating with a Web site that may
have confidential customer or employee data, Chess said. "This problem
appears to be ubiquitous," he asserted.
Forrester Research analyst Jeffrey Hammond said it is possible a large number
of AJAX applications are vulnerable to this threat, but it can be easily remediated
by not letting private information be transmitted from a server without appropriate
authentication.
"If you have an active framework with a lot of developers involved in
it, it should be relatively easy to fix this loophole," Hammond said. "But
if the framework is not very active and not being updated rapidly, you may have
to implement a workaround and kind of do it on your own."
Chess said the workaround is fairly straightforward and that in many cases,
toolkit providers will only have to revise a few lines of code. Fortify has
already alerted the toolkit and framework vendors affected and many have said
fixes are coming within weeks.
One that did not commit is Microsoft, Chess said. "Microsoft moves at
Microsoft speed. They've registered this in their security system and they will
patch it when they patch it," he said.
Microsoft declined to discuss the issue but issued a statement saying its Security
Response Center is investigating. "Upon completion of this investigation,
Microsoft will take the appropriate action," the statement read.
Jon Ferraiolo, a Web architect in IBM's emerging technologies group and chairman
of The OpenAjax Alliance, says security is among the 70-plus company member
group's key objectives. Among the key issues the alliance will take up is education
about best practices.
Developers should avoid obvious pitfalls, such as putting third-party content
into an application without verifying the provider of that content. "You
have to be careful with the way your server side is set up if you want to have
a secure, browser-based deployment, AJAX or otherwise," Ferraiolo said.
Like others, he says Fortify's finding won't have a chilling affect on AJAX
development. "There's all this AJAX going on right now," Ferraiolo
said. "This is not a show-stopper."
About the Author
Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.