- BlackBerry Storm vs. the iPhone
- Digg's Kevin Rose: "We have to do better"
- Blogger warns: "Nortel doesn't make it out alive"
- Financial quagmire bringing out the scammers
- Verizon plays with the wrong e-mail addresses
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Test your Web Filter | Value of WDS
Security vendor Fortify today said it has identified a JavaScript-related vulnerability that lets an attacker hijack a Mozilla or Microsoft Internet Explorer Web browser session.
The vulnerability, which Fortify calls “JavaScript hijacking,” can be exploited in Web. 2.0 applications that make use of Asynchronous JavaScript + XML (AJAX) technologies and have been built with a number of development frameworks such as Google Web Toolkit (GWT), Microsoft Atlas and open source tools including Prototype.
Fortify released the specific attack code that shows how this can be done in Mozilla, along with advice to programmers on how to correct the vulnerability, which the security vendor believes is pervasive in AJAX-built server applications.
Brian Chess, Fortify’s chief scientist, says Fortify has identified JavaScript hijacking attack code to exploit the Microsoft browser as well, but is refraining from currently making that publicly available. “We figured out how this attack is possible and we need to educate software developers on it,” Chess says.
JavaScript hijacking can be carried out “if a victim is tricked into going to a Web site of a bad guy, and this site can start loading JavaScript from the bad guy,” Chess says. The end effect is that the bad guy takes over the browser using JavaScript as the data transfer format and poses as the victim. “This is a new class of vulnerability and a pervasive problem for almost everyone who’s built rich AJAX applications,” he says.
Fortify says it built AJAX-based applications in its lab to research the hijacking vulnerability and found those applications built with the toolkits Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo.UI, Microsoft Atlas, MochiKit, Xajax, and GWT are subject to JavaScript hijacking. “There may be more,” Chess says.
The only toolkit that Fortify found that prevented JavaScript hijacking is Direct Web Remoting 2.0 (although the earlier version, DWR 1.1.4, did not). “When DWR took precautions to prevent what’s called ‘cross-site request forgery,’ they also corrected for the JavaScript problem,” Chess says.
The specific technical reason that JavaScript hijacking works is because of what Chess calls a “loophole” in the AJAX “Same Origin Policy” that excludes JavaScript. Chess says Fortify’s research builds on that done by Jeremiah Grossman, CTO at White Hat Security.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (2)
Moo.FxBy webguy on July 22, 2007, 5:51 pmMoo.Fx, last time I checked supports asynchronous calls, just like prototype and jquery.
Reply | Read entire comment
Re: Fortify identifies JavaScript vulnerability in AJAX appsBy Anonymous on April 3, 2007, 5:33 pmHow can Moo.Fx, a graphical effects library, that does not even have an AJAX component be vulnerable to an AJAX vulnerability? D'oh. Re: Fortify identifies JavaScript...
Reply | Read entire comment
View all comments