YOUR FEEDBACK
Immo Huneke wrote: A well written article, an ingenious solution to a real problem often encountere...
Jan. 6, 2009 08:14 AM
Cloud Computing Conference
March 30 - April 1, New York
Register Today and SAVE !..
Did you read today's front page stories & breaking news?
SYS-CON.TV: SOA Power Panel Live From Times Square

SYS-CON.TV

2008 East
DIAMOND SPONSOR:
Data Direct
Frontiers in Data Access: The Coming Wave in Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
Intel
Virtualization – Path to Predictive Enterprise
Green Hills
IT Security in a Hostile World
JBoss / freedom oss
Practical SOA Approach
GOLD SPONSORS:
Software AG
The Art & Science of SOA: How Governance Enables Adoption
PlateSpin
Effective Planning for Virtual Infrastructure Growth
Fujitsu
Automated Business Process Discovery & Virtualization Service
Ceedo
Workspace Virtualization
Click For 2007 West
Event Webcasts

2008 East
PLATINUM SPONSORS:
Appcelerator
Think Fast: Accelerate AJAX Development with Appcelerator
GOLD SPONSORS:
DreamFace Interactive
The Ultimate Framework for Creating Personalized Web 2.0 Mashups
ICEsoft
AJAX and Social Computing for the Enterprise
Kaazing
Enterprise Comet: Real–Time, Real–Time, or Real–Time Web 2.0?
Nexaweb
Now Playing: Desktop Apps in the Browser!
Sun
jMaki as an AJAX Mashup Framework
POWER PANELS:
The Business Value
of RIAs
What Lies Beyond AJAX?
KEYNOTES:
Douglas Crockford
Can We Fix the Web?
Anthony Franco
2008: The Year of the RIA
Click For 2007 Event Webcasts
TOP THREE LINKS YOU MUST CLICK ON


AJAX & Security
JavaScript Hijacking: Only 1 Out 12 Popular AJAX Frameworks Prevents It
The first class of vulnerability specific to rich Web apps

By: Brian Chess; Yekaterina Tsipenyuk O'Neil; Jacob West
Nov. 14, 2008 05:40 AM

Although the term "Web 2.0" does not have a rigorous definition, it is commonly used in at least two ways. First, it refers to Web applications that encourage social interaction or collective contribution for a common good. Second, it refers to Web programming techniques that lead to a rich and user-friendly interface. These techniques sometimes go by the name Asynchronous JavaScript and XML (AJAX), though many implementations don't use XML at all. In some cases, the social and technical aspects of Web 2.0 come together in the form of mashups: Web applications that are built by assembling pieces from multiple independent Web applications.

This article describes a vulnerability we call JavaScript Hijacking. It's an attack against the data transport mechanism used by many rich Web applications. JavaScript Hijacking allows an unauthorized attacker to read confidential data from a vulnerable application using a technique similar to the one commonly used to create mashups. The vulnerability is already being discussed in some circles, but most Web programmers are unaware that the problem exists, and even fewer security teams understand how widespread it is.

Traditional Web applications are not vulnerable to JavaScript Hijacking because they don't use JavaScript as a data transport mechanism. To our knowledge, this is the first class of vulnerability that is specific to rich Web applications. In essence, JavaScript Hijacking is possible because the security model implemented by all popular Web browsers doesn't anticipate the use of JavaScript for communicating confidential information.

JavaScript Hijacking builds on another type of widespread vulnerability: cross-site request forgery. A cross-site request forgery attack causes a victim to unwittingly submit one or more HTTP requests to a vulnerable Web site. A typical cross-site request forgery attack compromises data integrity - it gives an attacker the ability to modify information stored by a vulnerable Web site. JavaScript Hijacking is more dangerous because it also compromises confidentiality - an attacker can read a victim's information.

Vulnerable Web sites have already been found in the wild. One of the first people to demonstrate JavaScript Hijacking was Jeremiah Grossman, who identified a vulnerability in Google Gmail. (Google has fixed the problem.) Google was serving Gmail users' contacts in unprotected JavaScript, so an attacker could steal the contact list using JavaScript Hijacking.

During the course of our work, we examined 12 popular AJAX frameworks, including four server-integrated toolkits and eight purely client-side libraries. We found that only one of the 12 took measures to prevent JavaScript Hijacking. Preventing JavaScript Hijacking requires a secure server-side implementation, but it is incumbent upon the client-side libraries to promote good security practices. Currently, some of the client-side libraries go so far as to require the server side to contain a JavaScript Hijacking vulnerability.

Published Nov. 14, 2008— Reads 1,241
Copyright © 2009 SYS-CON Media. All Rights Reserved.
About Brian Chess
Brian Chess is a founder of Fortify Software and serves as Fortify's chief scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.

About Yekaterina Tsipenyuk O'Neil
Yekaterina Tsipenyuk O'Neil is the founding member of the Security Research Group at Fortify Software, where she is responsible for performing code audits, identifying and analyzing insecure coding patterns, providing security content for Fortify's software security products, and researching ways to improve the quality of the tools. Outside of the office, she spends time working with customers and speaking at conferences. Yekaterina has a BS and an MS in computer science from the University of California, San Diego. Her thesis work focused on mobile agent security.

About Jacob West
Jacob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify's products. He brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. In addition, he recently co-authored a book, "Secure Programming with Static Analysis," which was published in June 2007. Before joining Fortify, Jacob worked with Professor David Wagner, at the University of California at Berkeley, to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

LATEST AJAXWORLD RIA STORIES
By RIA News Desk
Synology has announced the availability of its Disk Station Manager 2.1 beta which further utilizes AJAX technology, adds new mail server capability with 1-click installation Mail Station add-on, enhances the Synology Surveillance Station, storage management, user management, and...
Jan. 7, 2009 04:15 PM
By Jake Sorofman
Let’s face it - 2008 was a real slog. Even the most wide-eyed optimist would agree that this was one year whose end was long overdue. Of course, ringing in the New Year doesn’t somehow wash away what has become a fairly deep recession, but it does symbolize the fresh start th...
Jan. 7, 2009 04:15 PM
By RIA News Desk
BonzoBox, a social homepage, has revealed its product to the public. The website has previously operated under a hidden beta only available to selected developers. BonzoBox is an interactive Web tool that allows people to build their own customized "BonzoBox" home page with live ...
Jan. 7, 2009 04:15 PM
By RIA News Desk
Indigo Eight Software's release of AjaxPDF 2.5 lets thousands of DotNetNuke 4.x users view PDF documents in-line. Once installed, choose the PDF document to display, apply any of the optional security settings and the PDF document appears in-line within the Dot Net Nuke site. Thi...
Jan. 7, 2009 04:15 PM
By Cloud Computing News Desk
rPath and WANdisco today announced that WANdisco has selected the rPath rBuilder and rPath Lifecycle Management Platform to build and maintain its Subversion MultiSite solution as a manageable set of application images for delivery in virtualized and cloud-based environments. rPa...
Jan. 7, 2009 06:00 AM
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
Click Here

SYS-CON FEATURED WHITEPAPERS

MOST READ THIS WEEK
By Robbie Cheng
By Maureen O'Gara
By Cloud Computing News Desk
By Maureen O'Gara
By Nicole Schepker
By Frank Salim
By SAP News Desk
By RIA News Desk
By RIA News Desk
By RIA News Desk
By RIA News Desk
By Cloud Computing News Desk
ADS BY GOOGLE