- JavaScript hijacking is a technique that an attacker can use to masquerade as a valid user and read sensitive data from a vulnerable Web application, particularly one using Ajax (Asynchronous JavaScript and XML). Nearly all major Ajax applications have been found vulnerable.
JavaScript hijacking allows a hacker to gain access to data through a loophole in which an interactive Web site on a given domain can run JavaScript hosted on a different domain. For example, in a Web-based e-mail application that uses Ajax, an attacker can log in as the legitimate user. All of the contents of the e-mail inbox and address book then become available to the hacker. In addition, the hacker may send bogus e-mail messages in the name of the victim.
Ajax is a method of building interactive Web applications by combining several programming tools including JavaScript, which can cause a linked-to page to appear (or fail to appear) in a pop-up, hide the status bar, change text in the status bar, change text or graphics within a Web page, create new cookies, change existing cookies or read existing cookies. JavaScript code can be embedded in HTML and interpreted by the Web browser. Ajax is convenient because it allows the content on a Web page to update immediately when a user performs an action.
 |
Learn more about Web Application Security |
| Web Application Attacks Learning Guide: This guide explains how Web application attacks occur, identifies Web application attacks, and provides Web application security tools and tactics to protect against them. |
| Information security book excerpts and reviews: Visit the Information Security Bookshelf for book reviews and free chapter downloads. |
| Quiz: Could you detect an application attack?: Test your application security awareness, review common application attacks and learn how to improve application layer logging to detect and protect against these attacks. |
| Web Application Attacks Learning Guide: This guide explains how Web application attacks occur, identifies Web application attacks, and provides Web application security tools and tactics to protect against them. |
| State-based attacks: Session management: This excerpt reviews session management techniques developers can use to protect against session hijacking and other Web application attacks. |
| Content Spoofing: This excerpt from "Preventing Web Attacks with Apache" explains how content spoofing attacks exploit vulnerabilities and how to use Apache to protect against them. |
| LAST UPDATED: |
28 Jun 2007
|
 |
Do you have something to add to this definition? Let us know.
Send your comments to techterms@whatis.com
|

 |
More resources from around the web:
|


');
// -->



|