Web 2.0, meet Internet attack 2.0

Ajax technology lets sophisticated software run in a Web browser. But it also means more JavaScript vulnerabilities, more complexity, and new attack possibilities.

SAN FRANCISCO--The glitzy, interactive abilities of Web 2.0 have led to a profusion of new applications, but the technology also is bringing a new era of security vulnerabilities, a security researcher warned Wednesday.

"Security was a challenge to begin with, but if anything it's getting harder in the Web 2.0 world," said Jacob West, manager of the security research group at Fortify, a company that helps companies make sure their software is secure. He made his comments during a talk at the Web 2.0 Expo in San Francisco here.

Jacob West, manager of the security research group at Fortify, says  Ajax technology means more vulnerabilities.
Jacob West, manager of the security research group at Fortify Stephen Shankland/CNET Networks

A big culprit is JavaScript, a language that's widely used to control Web browsers and enable more sophisticated operations. JavaScript has been around for more than a decade, but new risks are emerging since it's a major component of Ajax, a Web 2.0 technology used to build richly interactive sites.

"The number of unique problems from Ajax will remain pretty small," West said in an interview after his speech. But Ajax means that JavaScript is being used much more widely and in much more complicated ways, so existing vulnerabilities are more widespread, and "attack techniques are improving quickly."

He did describe one particular Ajax-specific problem called JavaScript hijacking. With it, a Web browser that picks up malicious JavaScript code from a Web site can be instructed, in effect, to send confidential information with an attacker.

"JavaScript hijacking is Ajax-specific," West said. It relies on the transmission of personal information packaged as JavaScript code, and "transmitting information with JavaScript I unique to Ajax code."

Another problem triggered by Ajax are that JavaScript is more complex and therefore harder to test. And more sophistication brings more opportunities for problems with "input validation"--making sure that text typed into forms, for example, isn't actually naughty code that could sidestep ordinary scrutiny and run on somebody's computer.

West was pessimistic that fundamental progress would help reduce vulnerabilities. Companies with browsers and Web sites are reluctant to embrace change that would break compatibility with older technology, for example.

"We're talking about fixes that are going to come in the 10-year time frame," he said.

But some are working to at least close up the holes. For example, programmers working on Direct Web Remoting (DWR) and the Google Web Toolkit (GWT) updated their Ajax programming toolkits to head JavaScript hijacking attacks off at the pass.

Other toolkit makers were not so responsive, though, he said: "Microsoft and Yahoo wrote back and said, 'Nope, we're not going to fix that.'"

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments