X

JavaScript can expose data on Web 2.0 sites

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read

JavaScript can be used to grab data from improperly secured Web 2.0 applications, Fortify Software, a maker of source code audit tools, said in a paper published on Monday.

Fortify dubs the issue "JavaScript hijacking." The paper explains the topic in more detail, though to those who follow Web security this won't be anything new.

JavaScript plays a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with increasingly common Web site security flaws, could lead to insidious Web-based attacks.

In the case of JavaScript, hijacking malicious script code attacks the data transport mechanism used by many rich Web applications, which also uses JavaScript. As a result, an unauthorized attacker can read confidential data from a vulnerable application.

Jeremiah Grossman of Whitehat Security last year demonstrated such a flaw in Google's Gmail. An attacker could steal Gmail users' contacts because the information was transferred in unprotected JavaScript.

Fortify examined 12 popular Web programming tools and found that all but one could result in vulnerable applications. "Only DWR 2.0 implements mechanisms for preventing JavaScript hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentation," Fortify said.

The tools examined include four server-integrated toolkits, Direct Web Remoting (DWR), Microsoft ASP.Net Ajax (Atlas), Xajax and Google Web Toolkit (GWT), and eight client-side libraries: Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo UI, Rico and MochiKit.

To prevent against JavaScript hijacking, Fortify recommends programming Web 2.0 applications so that malicious requests are declined by including a hard-to-guess parameter in every request. Also, direct execution of a JavaScript should be prevented by taking advantage of the capabilities of the legitimate client, according to Fortify.

A PDF version of Fortify paper is available for download.