JavaScript Journal

Subscribe to JavaScript Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get JavaScript Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

JavaScript Authors: Sematext Blog, Klaus Enzenhofer, Mehdi Daoudi, Yakov Fain, AppDynamics Blog

Related Topics: RIA Developer's Journal, Enterprise Mashups, JavaScript

RIA & Ajax: Article

JavaScript Hijacking: Only 1 Out 12 Popular AJAX Frameworks Prevents It

The first class of vulnerability specific to rich Web apps

Although the term "Web 2.0" does not have a rigorous definition, it is commonly used in at least two ways. First, it refers to Web applications that encourage social interaction or collective contribution for a common good. Second, it refers to Web programming techniques that lead to a rich and user-friendly interface. These techniques sometimes go by the name Asynchronous JavaScript and XML (AJAX), though many implementations don't use XML at all. In some cases, the social and technical aspects of Web 2.0 come together in the form of mashups: Web applications that are built by assembling pieces from multiple independent Web applications.

This article describes a vulnerability we call JavaScript Hijacking. It's an attack against the data transport mechanism used by many rich Web applications. JavaScript Hijacking allows an unauthorized attacker to read confidential data from a vulnerable application using a technique similar to the one commonly used to create mashups. The vulnerability is already being discussed in some circles, but most Web programmers are unaware that the problem exists, and even fewer security teams understand how widespread it is.

Traditional Web applications are not vulnerable to JavaScript Hijacking because they don't use JavaScript as a data transport mechanism. To our knowledge, this is the first class of vulnerability that is specific to rich Web applications. In essence, JavaScript Hijacking is possible because the security model implemented by all popular Web browsers doesn't anticipate the use of JavaScript for communicating confidential information.

JavaScript Hijacking builds on another type of widespread vulnerability: cross-site request forgery. A cross-site request forgery attack causes a victim to unwittingly submit one or more HTTP requests to a vulnerable Web site. A typical cross-site request forgery attack compromises data integrity - it gives an attacker the ability to modify information stored by a vulnerable Web site. JavaScript Hijacking is more dangerous because it also compromises confidentiality - an attacker can read a victim's information.

Vulnerable Web sites have already been found in the wild. One of the first people to demonstrate JavaScript Hijacking was Jeremiah Grossman, who identified a vulnerability in Google Gmail. (Google has fixed the problem.) Google was serving Gmail users' contacts in unprotected JavaScript, so an attacker could steal the contact list using JavaScript Hijacking.

During the course of our work, we examined 12 popular AJAX frameworks, including four server-integrated toolkits and eight purely client-side libraries. We found that only one of the 12 took measures to prevent JavaScript Hijacking. Preventing JavaScript Hijacking requires a secure server-side implementation, but it is incumbent upon the client-side libraries to promote good security practices. Currently, some of the client-side libraries go so far as to require the server side to contain a JavaScript Hijacking vulnerability.

More Stories By Yekaterina Tsipenyuk O'Neil

Yekaterina Tsipenyuk O'Neil is the founding member of the Security Research Group at Fortify Software. She is responsible for performing code audits, identifying and analyzing insecure coding patterns, providing security content for Fortify's software security products, and researching ways to improve the quality of the tools. Yekaterina has a B.S. and an M.S. in computer science from the University of California, San Diego. Her thesis work focused on mobile agent security.

More Stories By Brian Chess

Brian Chess is a founder of Fortify Software and serves as Fortify's chief scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.

More Stories By Jacob West

Jacob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify's products. He brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. In addition, he recently co-authored a book, "Secure Programming with Static Analysis," which was published in June 2007. Before joining Fortify, Jacob worked with Professor David Wagner, at the University of California at Berkeley, to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.