News

JavaScript 'Hijacking' Vulnerability Not Expected To Dampen Enthusiasm for AJAX

• By Jeffrey Schwartz
• 04/03/2007

AJAX applications are susceptible to "JavaScipt hijacking," allowing unauthorized individuals to read private content within JavaScript messages, according to Fortify Software, a Palo Alto, Calif.-based supplier of threat identification and remediation tools.

Fortify reported on Monday that of 12 widely used AJAX frameworks and eight client-side libraries the company evaluated, only those based on DWR 2.0 (supported by TIBCO) offer measures to prevent JavaScript hijacking. The vulnerable properties include Microsoft's ASP.NET AJAX tool (code-named Atlas), the Google Web Toolkit and libraries such as Prototype, DoJo and Yahoo! UI.

Brian Chess, Fortify's co-founder and chief scientist, says developers shouldn't shrug their shoulders at the news simply because it involves JavaScript, which has a history of browser-based security problems. "It's not a new name for an old kind of problem. This is a new JavaScript-related problem that arises in AJAX-style applications," Chess said.

AJAX, which stands for Asynchronous JavaScript and XML, allows developers to add interactive capabilities to Web content by exchanging small bits of data between the browser and the server. It was popularized last year by applications such as Google Maps, which allow an individual to put their mouse on a location and access more data.

An attacker can pose as a victim by communicating with a Web site that may have confidential customer or employee data, Chess said. "This problem appears to be ubiquitous," he asserted.

Forrester Research analyst Jeffrey Hammond said it is possible a large number of AJAX applications are vulnerable to this threat, but it can be easily remediated by not letting private information be transmitted from a server without appropriate authentication.

"If you have an active framework with a lot of developers involved in it, it should be relatively easy to fix this loophole," Hammond said. "But if the framework is not very active and not being updated rapidly, you may have to implement a workaround and kind of do it on your own."

Chess said the workaround is fairly straightforward and that in many cases, toolkit providers will only have to revise a few lines of code. Fortify has already alerted the toolkit and framework vendors affected and many have said fixes are coming within weeks.

One that did not commit is Microsoft, Chess said. "Microsoft moves at Microsoft speed. They've registered this in their security system and they will patch it when they patch it," he said.

Microsoft declined to discuss the issue but issued a statement saying its Security Response Center is investigating. "Upon completion of this investigation, Microsoft will take the appropriate action," the statement read.

Jon Ferraiolo, a Web architect in IBM's emerging technologies group and chairman of The OpenAjax Alliance, says security is among the 70-plus company member group's key objectives. Among the key issues the alliance will take up is education about best practices.

Developers should avoid obvious pitfalls, such as putting third-party content into an application without verifying the provider of that content. "You have to be careful with the way your server side is set up if you want to have a secure, browser-based deployment, AJAX or otherwise," Ferraiolo said.

Like others, he says Fortify's finding won't have a chilling affect on AJAX development. "There's all this AJAX going on right now," Ferraiolo said. "This is not a show-stopper."