Fortify released a new paper on Javascript hijacking. The paper looks at 12 Ajax frameworks, including Google's GWT, Microsoft Atlas, Yahoo! UI, and a number of open source projects, to see which are vulnerable to Javscript hijacking, described as the attacker's ability to read confidential data in Javascript messages. The vulnerability testing uses JSON which the authors state makes the attacker's job easier to exploit Javascript hijacking, because JSON arrays are standalone Javscript statements. From the paper (emphasis added)
When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. In order to witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the creation of each object and transmit the object's contents back to the malicious site. Other attacks might override the default constructor for arrays instead (Grossman’s GMail exploit took this approach.)
Applications that are built to be used in a mashup sometimes invoke a callback function at the end of each JavaScript message. The callback function is meant to be defined by another application in the mashup. A callback function makes a JavaScript Hijacking attack a trivial affair—all the attacker has to do is define the function. An application can be mashup-friendly or it can be secure, but it cannot be both.
If the user is not logged into the vulnerable site, the attacker can compensate by asking the user to log in and then displaying the legitimate login page for the application. This is not a phishing attack—the attacker does not gain access to the user's credentials—so anti-phishing
countermeasures will not be able to defeat the attack.
More complex attacks could make a series of requests to the application by using JavaScript to dynamically generate script tags. This same technique is sometimes used to create application mashups. The only difference is that, in this mashup scenario, one of the applications involved is malicious.
The paper helpfully concludes with a look at various Ajax toolkits' ability to deal with this type of attack, Dojo, DWR 1.1.4, GWT, jQuery, Atlas, MochiKit, Moo.fx, Prototype, Yahoo! UI, all are vulnerable. DWR 2.0 has some protections that deal with CSRF that may mitigate JAvascript hijacking, the authors find.
The Javascript hijacking attack is also noted in this Subverting Ajax presentation from last year's CCC.
As I previously blogged,I think the overarching theme is that Web 2.0 brings new ways to integrate apps and data together, but it brings no new security mechanisms, so this guarantees security issues such as the above.
**************************************************
Upcoming public SOA, Web Services, and XML Security training by Gunnar Peterson, Arctec Group
- NYC (April 19), Unatek Web Services (May), OWASP App Sec Europe (May), Helsinki (June), DC/Baltimore (July 19).