SYS-CON.TV Webcasts
Jackbe: The Big A(architecture in AJAX)
Instantiations: Eclipse Rich Internet Platform with Taylor and Milinkovich
Yahoo!: Applying AJAX to Speed User's Journey
Enerjy Webcast: Java Code Quality Management
App Server Shoot-out: Microsoft, IBM, JBoss, Sun, BEA, and Oracle
Comments
By Roger Strukhoff
Richard Davies wrote: The UK has a good crop of technology pioneers in cloud computing - for example ElasticHosts, FlexiScale, Flexiant, OnApp - and also some strong government initiatives such as G-Cloud. We will have to see whether this kind of technical leadership converts into swift mass-market adoption or not.
Jan. 8, 2012 11:38 AM EST
Cloud Expo on Google News
Did you read today's front page stories & breaking news?

SYS-CON.TV: SOA Power Panel Live From Times Square

2008 West
DIAMOND SPONSOR:
Data Direct
SOA, WOA and Cloud Computing: The New Frontier for Data Services
PLATINUM SPONSORS:
Red Hat
The Opening of Virtualization
GOLD SPONSORS:
Appsense
User Environment Management – The Third Layer of the Desktop
Cordys
Cloud Computing for Business Agility
EMC
CMIS: A Multi-Vendor Proposal for a Service-Based Content Management Interoperability Standard
Freedom OSS
Practical SOA” Max Yankelevich
Intel
Architecting an Enterprise Service Router (ESR) – A Cost-Effective Way to Scale SOA Across the Enterprise
Sensedia
Return on Assests: Bringing Visibility to your SOA Strategy
Symantec
Managing Hybrid Endpoint Environments
VMWare
Game-Changing Technology for Enterprise Clouds and Applications
Click For 2008 West
Event Webcasts

2008 West
PLATINUM SPONSORS:
Appcelerator
Get ‘Rich’ Quick: Rapid Prototyping for RIA with ZERO Server Code
Keynote Systems
Designing for and Managing Performance in the New Frontier of Rich Internet Applications
GOLD SPONSORS:
ICEsoft
How Can AJAX Improve Homeland Security?
Isomorphic
Beyond Widgets: What a RIA Platform Should Offer
Oracle
REAs: Rich Enterprise Applications
Click For 2008 Event Webcasts
SYS-CON.TV
Top Links You Must Click On


AJAX & Security
JavaScript Hijacking: Only 1 Out 12 Popular AJAX Frameworks Prevents It
The first class of vulnerability specific to rich Web apps

By: Yekaterina Tsipenyuk O'Neil; Brian Chess; Jacob West
Nov. 14, 2008 05:40 AM

Although the term "Web 2.0" does not have a rigorous definition, it is commonly used in at least two ways. First, it refers to Web applications that encourage social interaction or collective contribution for a common good. Second, it refers to Web programming techniques that lead to a rich and user-friendly interface. These techniques sometimes go by the name Asynchronous JavaScript and XML (AJAX), though many implementations don't use XML at all. In some cases, the social and technical aspects of Web 2.0 come together in the form of mashups: Web applications that are built by assembling pieces from multiple independent Web applications.

This article describes a vulnerability we call JavaScript Hijacking. It's an attack against the data transport mechanism used by many rich Web applications. JavaScript Hijacking allows an unauthorized attacker to read confidential data from a vulnerable application using a technique similar to the one commonly used to create mashups. The vulnerability is already being discussed in some circles, but most Web programmers are unaware that the problem exists, and even fewer security teams understand how widespread it is.

Traditional Web applications are not vulnerable to JavaScript Hijacking because they don't use JavaScript as a data transport mechanism. To our knowledge, this is the first class of vulnerability that is specific to rich Web applications. In essence, JavaScript Hijacking is possible because the security model implemented by all popular Web browsers doesn't anticipate the use of JavaScript for communicating confidential information.

JavaScript Hijacking builds on another type of widespread vulnerability: cross-site request forgery. A cross-site request forgery attack causes a victim to unwittingly submit one or more HTTP requests to a vulnerable Web site. A typical cross-site request forgery attack compromises data integrity - it gives an attacker the ability to modify information stored by a vulnerable Web site. JavaScript Hijacking is more dangerous because it also compromises confidentiality - an attacker can read a victim's information.

Vulnerable Web sites have already been found in the wild. One of the first people to demonstrate JavaScript Hijacking was Jeremiah Grossman, who identified a vulnerability in Google Gmail. (Google has fixed the problem.) Google was serving Gmail users' contacts in unprotected JavaScript, so an attacker could steal the contact list using JavaScript Hijacking.

During the course of our work, we examined 12 popular AJAX frameworks, including four server-integrated toolkits and eight purely client-side libraries. We found that only one of the 12 took measures to prevent JavaScript Hijacking. Preventing JavaScript Hijacking requires a secure server-side implementation, but it is incumbent upon the client-side libraries to promote good security practices. Currently, some of the client-side libraries go so far as to require the server side to contain a JavaScript Hijacking vulnerability.

Published Nov. 14, 2008— Reads 7,415
Copyright © 2008 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
About Yekaterina Tsipenyuk O'Neil
Yekaterina Tsipenyuk O'Neil is the founding member of the Security Research Group at Fortify Software. She is responsible for performing code audits, identifying and analyzing insecure coding patterns, providing security content for Fortify's software security products, and researching ways to improve the quality of the tools. Yekaterina has a B.S. and an M.S. in computer science from the University of California, San Diego. Her thesis work focused on mobile agent security.

About Brian Chess
Brian Chess is a founder of Fortify Software and serves as Fortify's chief scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.

About Jacob West
Jacob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify's products. He brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. In addition, he recently co-authored a book, "Secure Programming with Static Analysis," which was published in June 2007. Before joining Fortify, Jacob worked with Professor David Wagner, at the University of California at Berkeley, to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Enterprise Open Source Magazine Latest Stories . . .
By Maureen O'Gara
Apache Deltacloud, the Red Hat-contributed ReSTful API that abstracts differences between clouds so services on any cloud can be managed – provided of course there’s a driver – has graduated from the Apache Foundation’s incubator and is now a full-fledged Top-Level Project (TLP). The...
By Jeremy Geelan
With Cloud Expo 2012 New York (10th Cloud Expo) just four months away, what better time to start introducing you in greater detail to the distinguished individuals in our incredible Speaker Faculty for the technical and strategy sessions at the conference... We have technical and st...
By Maureen O'Gara
AMD said late Tuesday that its chief sales officer Emilio Ghilardi had left the company and that CEO and president Rory Read is going to do his job while a replacement is sought. AMD didn’t say why Ghilardi left but it’s assumed Read wants his own people. Read is relatively new to th...
By Hovhannes Avoyan
During the lifespan of M3 (Monitis Monitor Manager) there has always been something lacking – timers. M3 execution procedure was outlined in this previous article. The execution mentioned in the latter was a one-time-execution, whereas server monitoring requires periodic invocati...
By Maureen O'Gara
Red Hat is putting its bought-in Gluster scale-out NAS storage technology, acquired in October, on the Amazon cloud. It’s styled Red Hat Virtual Storage Appliance for Amazon Web Services and other clouds are supposed to follow in short order.
By Ignacio M. Llorente
A new episode of the screencast series is now available at the OpenNebula YouTube Channel. This screencast demonstrates the new easily-customizable self-service portal for cloud consumers. Its aim is to offer a simplified access to shared infrastructure for non-IT end users. The scree...
MORE »
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021

SYS-CON Featured Whitepapers
Most Read This Week
By Jeremy Geelan
By Bob Hockman
By Brian McCallion
By Steven Yaskin
By Jeremy Geelan
By Jeremy Geelan
By Udayan Banerjee
By Jeremy Hess
By Udayan Banerjee
By Maureen O'Gara
By Liz McMillan
By Hollis Tibbetts
ADS BY GOOGLE