Report warns of critical flaw in Web 2.0, AJAX

By Bill Brenner, Senior News Writer 03 Apr 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. Brian Chess, co-founder and chief scientist, Fortify Software

Now, amid reports that Jikto's code has been leaked onto the Internet, Palo Alto, Calif.-based Fortify Software Inc. has released a new report describing a major flaw in Web 2.0 and AJAX software.

The technology is susceptible to JavaScript hijacking, in which an attacker can steal critical data by emulating unsuspecting users, Fortify said.

Researchers analyzed the 12 most popular AJAX frameworks -- including programs from Google, Microsoft, Yahoo! and the open source community -- and found that among them, only Direct Web Remoting (DWR) 2.0 takes steps to prevent JavaScript hijacking.

Shmoocon: Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.

"The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations," Fortify said in its report. "Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data."

Brian Chess, Fortify's co-founder and chief scientist, said that with recent surveys indicating that almost 75% of enterprises plan to increase their investment in Web 2.0 technologies, it is clear that the information security community must address the issue now.

"Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved," Chess said in a statement. "In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."

Though Web 2.0 functionality is already incorporated into social networking sites like MySpace, the corporate world has a growing appetite for frameworks that facilitate quick access to information, improve application performance and encourage collaboration, Chess said. According to a March 2007 McKinsey survey, he noted, the industries most likely to adopt Web 2.0 technologies are retail, high tech, telecommunications, finance and pharmaceuticals.

JavaScript hijacking lets an attacker pose as the user accessing the Web 2.0 application, the Fortify report said, adding, "Once the attacker successfully emulates the victim, they can read sensitive data transmitted between the application and the browser that uses JavaScript as a transport mechanism. These attackers can then buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information."

To alleviate the threat, Fortify recommends to program Web 2.0 applications with a hard-to-guess parameter in each request so malicious requests can be declined. Users can also prevent direct execution of JavaScript by taking advantage of the capabilities of the legitimate client.

Fortify's research was released amid reports that Hoffman's Jikto tool had been snatched up by other researchers and leaked onto the Internet.

Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.

Jikto's master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto's presence. All of this is done in pure JavaScript and, Hoffman said, helped along by the huge explosion in the number of AJAX-based applications on the Web in the last year or so. AJAX gives users -- and attackers -- direct access to the APIs in a Web application, which can be quite useful if you're trying to send malicious commands to back-end applications.

According to published reports, a Shmoocon attendee downloaded a copy of the code during Hoffman's presentation and posted it on his Web site. The attendee removed it at Hoffman's request, but not before others made their own copies. The code is now available on the Internet, leaving some security experts worried that the bad guys could start making use of it.

SearchSecurity.com Executive Editor Dennis Fisher contributed to this report.

Tags: Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary