JavaScript hijacking - Web 2.0 vulnerability

Security researchers have found a new form of attack through the Web that targets only the popular Ajax applications in the Web 2.0 trend.

Foritfy Software, the company has found a new vulnerability called "JavaScript hijacking" that most Ajax toolkits have this error.

' JavaScript hijacking allows unauthorized attackers to read sensitive data from faulty applications using a method similar to the one used to create mashups (a form of web application that combines at least two). services from different Web sites) '- Chess wrote in a guide (whitepaper) published.

Everyone thinks that the development of the Ajax Web programming model can only increase existing security bugs. Very few people think it is possible to cause a new security error, said Brian Chess, Fortify's "chief architect."

The method of designing Ajax web applications uses the method of data transfer in the background of each page, there is no need to refresh the entire page that the user is interacting with. This gives users the feeling that Web applications are like desktop applications. Gmail is one of those Web applications.

By exploiting JavaScript hijacking vulnerabilities, an attacker can retrieve messages from the victim's Gmail inbox or can access data transmitted via the Ajax application.

Although Ajax stands for 'Asynchronous JavaScript and XML' (asynchronous JavaScript and XML), it is not necessary to use XML to convey. You can use HTML, unformatted text (plaintext) or JavaScript.

According to Chess, the problem lies here. When the application uses JavaScript data format (abbreviated as JSON) instead of XML to transfer data between the browser and the Web server, it will be processed by the browser in a different way than usual.

Browsers use rules to restrict where the HTML data sent by the domain is called the "same origin policy", but this rule is ignored when the data is in JavaScript format.

A website is fully capable of running JavaScript data that is located on another domain. This is the technique used on Google Adsense applications or Google Maps.

Fortify now asserts that an attacker can exploit this vulnerability to log into Ajax applications, impersonating the victims and receiving the data that the application provides normally in the form of JSON.

An example of an attack, a victim who has authenticated into the Ajax application will have a login cookie on his browser, then the victim is tricked into accessing the attacker's website. This site contains JavaScript snippets that make calls to the Ajax application. Data received from the application will be sent to the attacker.

If the Ajax application is a Webmail service, the attacker can get the contents of the inbox or address book. Indeed, Fortify's research was based on the previous findings of Jeremiah Grossman about the same error in the Gmail application last year.

According to Fortify, there are 11 of the 12 frameworks they have tested that are unable to withstand such attacks. However, the company did not test on active applications.

The faulty platforms include: Microsoft ASP.NET AJAX (also called Atlas), XAJAX and Google Web Toolkit, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit.

According to Chess, these providers have been notified and they will fix bugs in libraries that are about to be released. Whitepaper pages are being released to help coders who have written Ajax objects can build more similar support.

Because Ajax is in its infancy, this is not a big problem like the buffer overflow when it was first discovered, Chess said. Not many large Ajax applications need to fix bugs. So Fortify now wants to publicize its search results as widely as possible to eliminate this problem from the beginning.

Hoi Le