A new attack called JavaScript Hacking allows hackers to pretend to be a victimized user and request private information.

Sharon Gaudin, Contributor

April 4, 2007

4 Min Read

Widely popular Web sites using so-called Web 2.0 technology should take heed of a new attack aimed directly at them.

Security researchers at Fortify Software, a security company, have reported a new wave of Internet attacks targeting Web 2.0 sites and the Ajax applications that have helped make them so dynamic. Coined JavaScript Hacking, attackers go after vulnerabilities in major Ajax toolkits, allowing them to pretend to be victimized users and gain access to sensitive information.

"The vulnerability is widespread," said Brian Chess, chief scientist and a founder of Fortify, in an interview. "If this goes unfixed, then this will be the same kind of problem we've had with buffer overflow. We've known about that for 30 years and we still don't have a handle on it."

While the vulnerability is widespread, the attacks aren't yet, Chess said. But he's sure they're taking place and he's also sure the problem will escalate.

"Historically speaking, the good guys are the last to know," he said. "This would be a record if the good guys were talking about it before the bad guys. And I don't think that is happening here."

Craig Schmugar, a threat researcher at McAfee, said Web 2.0 sites are putting themselves at risk. "Web 2.0 is growing at such a fast rate that security on many of these sites isn't a priority," he said in an interview. "It all comes up when they have to decide between securing the site and supporting functionality." Securing the site, he added, doesn't always win out.

Applications built using Ajax, or Asynchronous JavaScript and XML, produce richer and more dynamic Web sites, like Google Maps, MySpace, Gmail, and the Netflix site. The sites do a lot of work behind the scenes so they are less about users filling out one form after another, and more about the application automatically giving the user the information he or she needs. The problem is that Web 2.0 sites are vulnerable in a way that Web 1.0 sites aren't.

"Today, programmers aren't using XML. They're only using JavaScript because it's easier to program with," said Chess. "Hackers are luring victims to visit malicious sites where JavaScript code is downloaded onto their computers. That code allows the hacker to impersonate the victim and request information, like banking records. With html, this wouldn't work because browsers build security around html. The browsers don't know how to build security around JavaScript."

JavaScript isn't at fault, said Chess. It's the way the browsers handle it, and nearly all of the Ajax toolkits are vulnerable, according to a report from Fortify.

Chess said his researchers analyzed the 12 most popular Ajax frameworks, including ones from Google, Microsoft, Yahoo, and the open source community. Researchers found that only Direct Web Remoting 2.0, which is an open source framework, builds security around JavaScript, protecting it from attack.

Chess estimates that 75% of Ajax applications are written using these frameworks and the other 25% are home brewed or simply coded from the ground up. The straight coding also is probably at risk since some programmers might not know they need to build in specific JavaScript security.

Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said the user-based content on many of the Web 2.0 sites also is contributing to the risk factor. On sites like MySpace, hackers could even create their own page and embed malicious code, or they could become a trusted "friend" to someone else, add a comment on their page, and embed the malicious code in it, he explained in an interview.

Schmugar agreed with Ullrich that sites often are enabling user-based content at the expense of security. "It's doing things the Web site shouldn't be allowed to do," he said. "It's breaking out of the trusted relationship. MySpace is an extreme example because all of the content is user created. You end up with these valid sites with malicious pages in them. You could go to a site you visit all the time and be hit with this."

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights