Feeds

New vulnerability strikes heart of Web 2.0

More worries for the beta software fraternity

Security for virtualized datacentres

Whatever you think of "Web 2.0" (it's really not mandatory to release everything in permanent beta) you probably thought that this generic approach to mashups, Ajax and all that good stuff didn't change the usual coding "good practice" rules much.

Well, Brian Chess of Fortify Software says you're wrong. Although Web 2.0 style applications can be written securely, there's a temptation to handle all the data in JavaScript and that, he claims, can be seriously insecure.

Fortify calls this new vulnerability "JavaScript Hijacking" and it lets an attacker pose as an application user, with access to sensitive data transmitted between application and browser using JavaScript as the transport mechanism. This means the false users may be able to "buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information", according to Fortify Software's press release.

The attack uses a <script> tag to get around the "Same Origin Policy" enforced by web browsers - traditional web applications aren't vulnerable as they don't use JavaScript for data transport.

Out of 12 popular Ajax frameworks analysed by Fortify – Direct Web Remoting (DWR); Microsoft ASP.NET Ajax (a.k.a. Atlas); xajax; Google Web Toolkit (GWT); Prototype; Script.aculo.us; Dojo; Moo.fx; jQuery; Yahoo! UI; Rico; and MochiKit – only DWR 2.0 implements mechanisms that control JavaScript Hijacking. The rest neither provide protection nor mention the possibility in their documentation.

Download Fortify's advisory on this issue here.

Obviously, this vulnerability needs to be accepted by the Web 2.0 community as a whole but Jeremiah Grossman, CTO of WhiteHat Security has already verified its reality in some circumstances.

"New technology often leads to new risks and opens unforeseen avenues of malicious attack," he says. "Once understood, developers need to ensure the necessary safeguards are in place when they break new ground. Those responsible for the security of Web 2.0 deployments need to take this issue seriously and implement the steps necessary to resolve the issue before the risk results in an incident."

The solution to this issue really lies in the frameworks and any sample code they ship. It's not enough to make sure that your framework can be made secure; any code examples you provide must exemplify this "good practice" where appropriate. Luckily, Chess finds that most frameworks providers are receptive to this view and will address the problem in their next release (as will Fortify, in the next release of its security analysis tools); although a few people still adhere to the rather old-fashioned "not our problem if people are stupid" view.

However, probably many Web 2.0 programmers don't use the frameworks and perhaps leave the "x" off Ajax and handle all their data in JavaScript. These people really need to check their code for this vulnerability and fix it.

Or, perhaps, do something different. According to Chess, JavaScript security has been a bit of a disaster since its inception, probably because it has been pushed well beyond what it was originally intended for. Adobe's Flash is much better architected for security (not perfect, but better), he says, and perhaps that makes it a better basis for Web 2.0 style programming. ®

Intelligent flash storage arrays

More from The Register

next story
PEAK APPLE: iOS 8 is least popular Cupertino mobile OS in all of HUMAN HISTORY
'Nerd release' finally staggers past 50 per cent adoption
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Yes, Virginia, there IS a W3C HTML5 standard – as of now, that is
You asked for it! You begged for it! Then you gave up! And now it's HERE!
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.