JavaScript 'Hijacking' Vulnerability Not Expected To Dampen Enthusiasm for AJAX

A newly announced security vulnerability in AJAX-based applications will place added onus on development teams to avoid such threats, but observers say the finding is unlikely to slow AJAX's rapid growth.

AJAX applications are susceptible to "JavaScipt hijacking," allowing unauthorized individuals to read private content within JavaScript messages, according to Fortify Software, a Palo Alto, Calif.-based supplier of threat identification and remediation tools.

Fortify reported on Monday that of 12 widely used AJAX frameworks and eight client-side libraries the company evaluated, only those based on DWR 2.0 (supported by TIBCO) offer measures to prevent JavaScript hijacking. The vulnerable properties include Microsoft's ASP.NET AJAX tool (code-named Atlas), the Google Web Toolkit and libraries such as Prototype, DoJo and Yahoo! UI.

Brian Chess, Fortify's co-founder and chief scientist, says developers shouldn't shrug their shoulders at the news simply because it involves JavaScript, which has a history of browser-based security problems. "It's not a new name for an old kind of problem. This is a new JavaScript-related problem that arises in AJAX-style applications," Chess said.

AJAX, which stands for Asynchronous JavaScript and XML, allows developers to add interactive capabilities to Web content by exchanging small bits of data between the browser and the server. It was popularized last year by applications such as Google Maps, which allow an individual to put their mouse on a location and access more data.

An attacker can pose as a victim by communicating with a Web site that may have confidential customer or employee data, Chess said. "This problem appears to be ubiquitous," he asserted.

Forrester Research analyst Jeffrey Hammond said it is possible a large number of AJAX applications are vulnerable to this threat, but it can be easily remediated by not letting private information be transmitted from a server without appropriate authentication.

"If you have an active framework with a lot of developers involved in it, it should be relatively easy to fix this loophole," Hammond said. "But if the framework is not very active and not being updated rapidly, you may have to implement a workaround and kind of do it on your own."

Chess said the workaround is fairly straightforward and that in many cases, toolkit providers will only have to revise a few lines of code. Fortify has already alerted the toolkit and framework vendors affected and many have said fixes are coming within weeks.

One that did not commit is Microsoft, Chess said. "Microsoft moves at Microsoft speed. They've registered this in their security system and they will patch it when they patch it," he said.

Microsoft declined to discuss the issue but issued a statement saying its Security Response Center is investigating. "Upon completion of this investigation, Microsoft will take the appropriate action," the statement read.

Jon Ferraiolo, a Web architect in IBM's emerging technologies group and chairman of The OpenAjax Alliance, says security is among the 70-plus company member group's key objectives. Among the key issues the alliance will take up is education about best practices.

Developers should avoid obvious pitfalls, such as putting third-party content into an application without verifying the provider of that content. "You have to be careful with the way your server side is set up if you want to have a secure, browser-based deployment, AJAX or otherwise," Ferraiolo said.

Like others, he says Fortify's finding won't have a chilling affect on AJAX development. "There's all this AJAX going on right now," Ferraiolo said. "This is not a show-stopper."

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.