Fortify identifies JavaScript vulnerability in AJAX apps

Security vendor Fortify today said it has identified a JavaScript-related vulnerability that lets an attacker hijack a Mozilla or Microsoft Internet Explorer Web browser session.

The vulnerability, which Fortify calls “JavaScript hijacking,” can be exploited in Web. 2.0 applications that make use of Asynchronous JavaScript + XML (AJAX) technologies and have been built with a number of development frameworks such as Google Web Toolkit (GWT), Microsoft Atlas and open source tools including Prototype.

Fortify released the specific attack code that shows how this can be done in Mozilla, along with advice to programmers on how to correct the vulnerability, which the security vendor believes is pervasive in AJAX-built server applications.

Brian Chess, Fortify’s chief scientist, says Fortify has identified JavaScript hijacking attack code to exploit the Microsoft browser as well, but is refraining from currently making that publicly available. “We figured out how this attack is possible and we need to educate software developers on it,” Chess says.

JavaScript hijacking can be carried out “if a victim is tricked into going to a Web site of a bad guy, and this site can start loading JavaScript from the bad guy,” Chess says. The end effect is that the bad guy takes over the browser using JavaScript as the data transfer format and poses as the victim. “This is a new class of vulnerability and a pervasive problem for almost everyone who’s built rich AJAX applications,” he says.

Fortify says it built AJAX-based applications in its lab to research the hijacking vulnerability and found those applications built with the toolkits Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo.UI, Microsoft Atlas, MochiKit, Xajax, and GWT are subject to JavaScript hijacking. “There may be more,” Chess says.

The only toolkit that Fortify found that prevented JavaScript hijacking is Direct Web Remoting 2.0 (although the earlier version, DWR 1.1.4, did not). “When DWR took precautions to prevent what’s called ‘cross-site request forgery,’ they also corrected for the JavaScript problem,” Chess says.

The specific technical reason that JavaScript hijacking works is because of what Chess calls a “loophole” in the AJAX “Same Origin Policy” that excludes JavaScript. Chess says Fortify’s research builds on that done by Jeremiah Grossman, CTO at White Hat Security.

Fortify recommends all programs that communicate using JavaScript take a number of defensive measures, which include using a “hard-to-guess identifier, such as the session identifier, as part of each request that will return JavaScript. This defeats cross-site request forgery attacks by allowing the server to validate the origin of the request.”