Feeds

JavaScript hijacking - a new exploit, or not?

Have you heard it all before?

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

I've had an email comment on my JavaScript Hijacking piece to the effect that everyone knows that you do your input validation on the server and that data you send down in JavaScript or in HTML is unsafe - so this really isn't a new exploit.

Well, that first part is true enough, but I disagree with the second. However, Brian Chess is about to put up a JavaScript Hijacking FAQ in the Fortify Software site, so I thought (in the best journalistic tradition) I'd nick his comment on this point.

"While it is true that the client can see any messages the server sends, this is not the scenario where JavaScript Hijacking applies. JavaScript Hijacking involves a vulnerable website, a victim with a web browser, and a malicious website. The malicious website can use JavaScript hijacking to steal the victim's data from the vulnerable website. Web browsers prevent this in most cases, but the browser makers did not anticipate the use of JavaScript to communicate confidential data," he says.

I'll also note that Fortify's advisory, referenced in the original article, explains this new exploit in great detail and, I think, makes clear what is new about it. ®

Internet Security Threat Report 2014

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.