, SecurityFocus 2007-04-04
While the problem does not currently affect a large number of sites, AJAX use is on the rise, said Brian Chess, chief scientist for Fortify Software.
"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report. "Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."
"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.
Web applications that bring together data from one or more outside sources and include a callback function are easy to hijack, according to Fortify's paper. Other applications built on frameworks such as Microsoft's ASP.NET Atlas, XAJAX and Google's Web Toolkit are also vulnerable to hijacking. A number of purely client-side libraries--such as Prototype and Script.aculo.us, and Dojo--also include the vulnerabilities, Fortify stated in the report.
Moreover, about a quarter of Web programmers have created custom frameworks that are likely vulnerable as well.
A related issue affected online movie rental service Netflix last year.
Fortify discussed the issue with the developers of the major AJAX frameworks and each plans to fix the issue in its next release. The company decided to publicize the issue in order to bring the security problem to the attention of the general developer community, since many are using homegrown frameworks.
"We had a choice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.
"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.