Web 2.0 can be hijacked, claims Fortify

Many web applications written using the popular AJAX programming technique are vulnerable to a JavaScript hijacking attack, security company Fortify Software has claimed.

Fortify said that the "pervasive and critical vulnerability" is present in 11 of the 12 most popular AJAX frameworks, and therefore in many Web 2.0 applications. It allows an attacker to pose as the application's user and intercept data sent via JavaScript commands, by using the <script> tag to circumvent the 'same origin policy' imposed by web browsers.

"JavaScript Hijacking appears to be a ubiquitous problem," said Fortify. It claimed that only Direct Web Remoting (DWR) 2.0, a project which dynamically generates Java classes on the server from JavaScript, is immune to the attack, but said that fixes are available or feasible for other AJAX frameworks.

It added that even if apps do not use any of the vulnerable AJAX frameworks directly, they could be at risk if they contain AJAX components that use JavaScript as a data transfer method.

Fortify has prepared a Web 2.0 Security Advisory, which it said will help developers and businesses to understand and fix the problem. The company advocated "a two-pronged approach that allows applications to decline malicious requests, and prevents attackers from directly executing JavaScript the applications generate."

Several other security researchers have already demonstrated that the vulnerability is viable in specific instances, including Jeremiah Grossman, an independent security researcher and CTO of WhiteHat Security.

"New technology is bound to bring new vulnerabilities, so developers need to look carefully at their development process to ensure that they take security into account when they break new ground," Grossman said. "Developers and other individuals responsible for Web 2.0 deployments need to take this seriously and quickly resolve the issue for their services."