Feeds

New vulnerability strikes heart of Web 2.0

More worries for the beta software fraternity

Top 5 reasons to deploy VMware with Tegile

Whatever you think of "Web 2.0" (it's really not mandatory to release everything in permanent beta) you probably thought that this generic approach to mashups, Ajax and all that good stuff didn't change the usual coding "good practice" rules much.

Well, Brian Chess of Fortify Software says you're wrong. Although Web 2.0 style applications can be written securely, there's a temptation to handle all the data in JavaScript and that, he claims, can be seriously insecure.

Fortify calls this new vulnerability "JavaScript Hijacking" and it lets an attacker pose as an application user, with access to sensitive data transmitted between application and browser using JavaScript as the transport mechanism. This means the false users may be able to "buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information", according to Fortify Software's press release.

The attack uses a <script> tag to get around the "Same Origin Policy" enforced by web browsers - traditional web applications aren't vulnerable as they don't use JavaScript for data transport.

Out of 12 popular Ajax frameworks analysed by Fortify – Direct Web Remoting (DWR); Microsoft ASP.NET Ajax (a.k.a. Atlas); xajax; Google Web Toolkit (GWT); Prototype; Script.aculo.us; Dojo; Moo.fx; jQuery; Yahoo! UI; Rico; and MochiKit – only DWR 2.0 implements mechanisms that control JavaScript Hijacking. The rest neither provide protection nor mention the possibility in their documentation.

Download Fortify's advisory on this issue here.

Obviously, this vulnerability needs to be accepted by the Web 2.0 community as a whole but Jeremiah Grossman, CTO of WhiteHat Security has already verified its reality in some circumstances.

"New technology often leads to new risks and opens unforeseen avenues of malicious attack," he says. "Once understood, developers need to ensure the necessary safeguards are in place when they break new ground. Those responsible for the security of Web 2.0 deployments need to take this issue seriously and implement the steps necessary to resolve the issue before the risk results in an incident."

The solution to this issue really lies in the frameworks and any sample code they ship. It's not enough to make sure that your framework can be made secure; any code examples you provide must exemplify this "good practice" where appropriate. Luckily, Chess finds that most frameworks providers are receptive to this view and will address the problem in their next release (as will Fortify, in the next release of its security analysis tools); although a few people still adhere to the rather old-fashioned "not our problem if people are stupid" view.

However, probably many Web 2.0 programmers don't use the frameworks and perhaps leave the "x" off Ajax and handle all their data in JavaScript. These people really need to check their code for this vulnerability and fix it.

Or, perhaps, do something different. According to Chess, JavaScript security has been a bit of a disaster since its inception, probably because it has been pushed well beyond what it was originally intended for. Adobe's Flash is much better architected for security (not perfect, but better), he says, and perhaps that makes it a better basis for Web 2.0 style programming. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.