Scrub Your Ajax Applications to Remove Security Problems

Asynchronous JavaScript and XML (commonly referred to as Ajax) is growing in use on Web sites all across the Internet. While Ajax can be used to create a much more functional interface for Web users, it does pose problems, some of which are now being brought more directly into light.

Ajax helps create an environment where a Web-based application operates more like desktop applications. The technology let applications fetch new content without having to redraw an entire Web page. Ajax is typically considered to be part of the "Web 2.0" technology push.

Fortify Software recently released an advisory that discusses what it calls "a new class of vulnerability: JavaScript Hijacking." A spokesperson for the company said, "The reason we're talking about it is to try to raise awareness among the Ajax development community." The company released a FAQ and a detailed analysis of their findings, which they hope will improve development of Ajax-based applications before poor coding practices cause the vulnerability to become widespread.

According to Fortify's analysis, "[the vulnerability] allows an unauthorized party to read confidential data contained in JavaScript messages. The attack works by using [an HTML 'script' tag] to circumvent the Same Origin Policy enforced by Web browsers. Traditional Web applications are not vulnerable because they do not use JavaScript as a data transport mechanism."

The papers goes on to say that Fortify looked at 12 popular Ajax frameworks, including Direct Web Remoting (DWR), Microsoft Atlas for ASP.NET, xajax, Google Web Toolkit, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit. Fortify said that of the 12 frameworks, only DWR 2.0 helps prevent JavaScript hijacking. In the paper, Fortify makes recommendations that developers can use to defend against attacks.

"[Recent surveys indicate] that almost 75 percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now," said Brian Chess, co-founder and chief scientist at Fortify. "Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."

Fortify's research is based in part on the work of Jeremiah Grossman, who is CTO at Whitehat Security, and Joe Walker, creator of the DWR framework.

"New technology often leads to new risks and opens unforeseen avenues of malicious attack. Once understood, developers need to ensure the necessary safeguards are in place when they break new ground," said Grossman. "Those responsible for the security of Web 2.0 deployments need to take this issue seriously and implement the steps necessary to resolve the issue before the risk results in [security incidents]."