Feeds

New vulnerability strikes heart of Web 2.0

More worries for the beta software fraternity

Providing a secure and efficient Helpdesk

Whatever you think of "Web 2.0" (it's really not mandatory to release everything in permanent beta) you probably thought that this generic approach to mashups, Ajax and all that good stuff didn't change the usual coding "good practice" rules much.

Well, Brian Chess of Fortify Software says you're wrong. Although Web 2.0 style applications can be written securely, there's a temptation to handle all the data in JavaScript and that, he claims, can be seriously insecure.

Fortify calls this new vulnerability "JavaScript Hijacking" and it lets an attacker pose as an application user, with access to sensitive data transmitted between application and browser using JavaScript as the transport mechanism. This means the false users may be able to "buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information", according to Fortify Software's press release.

The attack uses a <script> tag to get around the "Same Origin Policy" enforced by web browsers - traditional web applications aren't vulnerable as they don't use JavaScript for data transport.

Out of 12 popular Ajax frameworks analysed by Fortify – Direct Web Remoting (DWR); Microsoft ASP.NET Ajax (a.k.a. Atlas); xajax; Google Web Toolkit (GWT); Prototype; Script.aculo.us; Dojo; Moo.fx; jQuery; Yahoo! UI; Rico; and MochiKit – only DWR 2.0 implements mechanisms that control JavaScript Hijacking. The rest neither provide protection nor mention the possibility in their documentation.

Download Fortify's advisory on this issue here.

Obviously, this vulnerability needs to be accepted by the Web 2.0 community as a whole but Jeremiah Grossman, CTO of WhiteHat Security has already verified its reality in some circumstances.

"New technology often leads to new risks and opens unforeseen avenues of malicious attack," he says. "Once understood, developers need to ensure the necessary safeguards are in place when they break new ground. Those responsible for the security of Web 2.0 deployments need to take this issue seriously and implement the steps necessary to resolve the issue before the risk results in an incident."

The solution to this issue really lies in the frameworks and any sample code they ship. It's not enough to make sure that your framework can be made secure; any code examples you provide must exemplify this "good practice" where appropriate. Luckily, Chess finds that most frameworks providers are receptive to this view and will address the problem in their next release (as will Fortify, in the next release of its security analysis tools); although a few people still adhere to the rather old-fashioned "not our problem if people are stupid" view.

However, probably many Web 2.0 programmers don't use the frameworks and perhaps leave the "x" off Ajax and handle all their data in JavaScript. These people really need to check their code for this vulnerability and fix it.

Or, perhaps, do something different. According to Chess, JavaScript security has been a bit of a disaster since its inception, probably because it has been pushed well beyond what it was originally intended for. Adobe's Flash is much better architected for security (not perfect, but better), he says, and perhaps that makes it a better basis for Web 2.0 style programming. ®

Internet Security Threat Report 2014

More from The Register

next story
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.