AJAX apps subject to JavaScript hijacking


Security vendor Fortify Monday said it has identified a JavaScript-related vulnerability that lets an attacker hijack a Mozilla or Microsoft Internet Explorer Web browser session.

The vulnerability, which Fortify calls “JavaScript hijacking,” can be exploited in Web. 2.0 applications that make use of Asynchronous JavaScript + XML (AJAX) technologies and have been built with a number of development frameworks such as Google Web Toolkit (GWT), Microsoft Atlas and open source tools including Prototype.

Fortify released the specific attack code that shows how this can be done in Mozilla, along with advice to programmers on how to correct the vulnerability, which the security vendor believes is pervasive in AJAX-built server applications.

Brian Chess, Fortify’s chief scientist, says Fortify has identified JavaScript hijacking attack code to exploit the Microsoft browser as well, but is refraining from currently making that publicly available. “We figured out how this attack is possible and we need to educate software developers on it,” Chess says.

JavaScript hijacking can be carried out “if a victim is tricked into going to a Web site of a bad guy, and this site can start loading JavaScript from the bad guy,” Chess says. The end effect is that the bad guy takes over the browser using JavaScript as the data transfer format and poses as the victim. “This is a new class of vulnerability and a pervasive problem for almost everyone who’s built rich AJAX applications,” he says. Fortify says it built AJAX-based applications in its lab to research the hijacking vulnerability and found those applications built with the toolkits Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo.UI, Microsoft Atlas, MochiKit, Xajax, and GWT are subject to JavaScript hijacking. “There may be more,” Chess says.

The only toolkit that Fortify found that prevented JavaScript hijacking is Direct Web Remoting 2.0 (although the earlier version, DWR 1.1.4, did not). “When DWR took precautions to prevent what’s called ‘cross-site request forgery,’ they also corrected for the JavaScript problem,” Chess says.

The specific technical reason that JavaScript hijacking works is because of what Chess calls a “loophole” in the AJAX “Same Origin Policy” that excludes JavaScript. Chess says Fortify’s research builds on that done by Jeremiah Grossman, CTO at White Hat Security.

Fortify recommends all programs that communicate using JavaScript take a number of defensive measures, which include using a “hard-to-guess identifier, such as the session identifier, as part of each request that will return JavaScript. This defeats cross-site request forgery attacks by allowing the server to validate the origin of the request.”


Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now