Digg this story   Add to del.icio.us  
Developers warned to secure AJAX design
Robert Lemos, SecurityFocus 2007-04-04

Security firm Fortify Software has stepped forward to warn Web site developers that most frameworks for deploying interactive functionality use JavaScript in a way that could lead to their applications leaking user data.

The problem, dubbed JavaScript hijacking by the firm, occurs because popular asynchronous JavaScript and XML (AJAX) toolkits use the scripting language as a transport mechanism without due consideration to security. The basic threat is that malicious Web sites could use cross-site request forgery (XSRF) to steal data from other AJAX-enabled Web applications, Fortify stated in a report released on Monday.

While the problem does not currently affect a large number of sites, AJAX use is on the rise, said Brian Chess, chief scientist for Fortify Software.

"We are trying to get the word out there to developers that they have at least one brand new security consideration that they didn't have before," said Chess, who co-authored the report. "Usually we security guys are coming along long after the fact. But this time, we have a chance to fix the problem before it really matters."

Over the last two years, JavaScript technology has increasingly been mined by security researchers for new ways to attack visitors to Web sites. In 2005, the Samy worm used AJAX to spread among MySpace users' accounts, adding the user "Samy" to people's friends lists. Last year, researchers warned that Web worms will increasingly become a problem as interactive technology--also called Web 2.0--continues to be adopted. The dangers were highlighted in the last few months as attackers have increasingly used Web site compromises to seed otherwise legitimate sites with JavaScript that redirects visitors to malicious sites.

While such attacks use JavaScript in well-understood ways, JavaScript hijacking is a totally new threat, Fortify's Chess said.

"This is a case where even educated developers didn't know it was a big deal because even the security community didn't know it was there," Chess said.

JavaScript hijacking takes advantage of the current trend in applications for communicating data through JavaScript structures. Web applications that use JavaScript Object Notation (JSON), for example, pass data using valid JavaScript statements. The attack would allow a malicious Web site to send requests for data to a target Web site through the user. Because of the vulnerability, the same-origin policy--which normally restricts JavaScript to acting on a page from the same domain as the script--can be defeated.

Web applications that bring together data from one or more outside sources and include a callback function are easy to hijack, according to Fortify's paper. Other applications built on frameworks such as Microsoft's ASP.NET Atlas, XAJAX and Google's Web Toolkit are also vulnerable to hijacking. A number of purely client-side libraries--such as Prototype and Script.aculo.us, and Dojo--also include the vulnerabilities, Fortify stated in the report.

Moreover, about a quarter of Web programmers have created custom frameworks that are likely vulnerable as well.

"It is all in the developer's hands," said Jeremiah Grossman, chief technology officer for WhiteHat Security, who demonstrated a JavaScript hijacking attack against Google's Gmail in late 2006. "There is no one else who can fix it."

A related issue affected online movie rental service Netflix last year.

Fortify suggested two fixes for the issue. Any defense that prevents cross-site request forgery (XSRF) attacks would also defeat JavaScript hijacking, the firm said. The best way to implement the defense would be to include a hard-to-discover token with every request, so that URLs are not easily guessable. Another way to fix the issue would be to have the client and server include extraneous code in the JavaScript request that have to first be removed, otherwise execution would be halted.

Fortify discussed the issue with the developers of the major AJAX frameworks and each plans to fix the issue in its next release. The company decided to publicize the issue in order to bring the security problem to the attention of the general developer community, since many are using homegrown frameworks.

"We had a choice to make," said Fortify's Chess. "In terms of disclosing details about a vulnerability, the right thing to do is to tell the developer about it and give them a chance to patch it.

"But the problem here is that we are talking about a vulnerability that is in so many different frameworks and there are so many people not using frameworks, that we want to give everyone a chance to fix it at once, and that meant announcing it," he said.

    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus