Researchers like
Billy Hoffman of Atlanta-based SPI Dynamics
have warned for some time that digital outlaws have an easy
target in applications based on
Web 2.0 and Asynchronous JavaScript and XML (AJAX). At the
recent Shmoocon hacker conference, Hoffman demonstrated how
JavaScript-rich programs can be compromised with a tool he created
called
Jikto.
Now, amid reports that Jikto's code has been leaked onto the
Internet, Fortify Software has released a new report describing
a
major flaw in Web 2.0 and AJAX software.
The technology is susceptible to JavaScript hijacking, in which
an attacker can steal critical data by emulating unsuspecting
users, Fortify said.
Researchers analysed the 12 most popular AJAX frameworks --
including programs from Google, Microsoft, Yahoo! and the open
source community -- and found that among them, only Direct Web
Remoting (DWR) 2.0 takes steps to prevent JavaScript hijacking.
"The rest of the frameworks do not explicitly provide any
protection and do not mention any security concerns in their
documentations," Fortify said in its report. "Even if an
application does not use any of the frameworks listed above, it may
be vulnerable if it contains AJAX components that use JavaScript as
a data transfer format for sensitive data."
Brian Chess, Fortify's co-founder and chief scientist, said that
with recent surveys indicating that almost 75% of enterprises plan
to increase their investment in Web 2.0 technologies, it is clear
that the information security community must address the issue
now.
"Unlike vulnerabilities that are tied to a specific application
or operating system, there is no single vendor to which this issue
can be reported and resolved," Chess said in a statement. "In fact,
many rich Web applications don't use any framework at all. As a
result, we need to educate software developers about the risk that
Web 2.0 brings."
Though Web 2.0 functionality is already incorporated into social
networking sites like MySpace, the corporate world has a growing
appetite for frameworks that facilitate quick access to
information, improve application performance and encourage
collaboration, Chess said. According to a March 2007
McKinsey survey, he noted, the industries most likely to adopt
Web 2.0 technologies are retail, high tech, telecommunications,
finance and pharmaceuticals.
JavaScript hijacking lets an attacker pose as the user accessing
the Web 2.0 application, the Fortify report said, adding, "Once the
attacker successfully emulates the victim, they can read sensitive
data transmitted between the application and the browser that uses
JavaScript as a transport mechanism. These attackers can then buy
and sell goods, trade stocks, adjust security settings for an
enterprise network or access and manipulate customer, inventory and
financial information."
To alleviate the threat, Fortify recommends to program Web 2.0
applications with a hard-to-guess parameter in each request so
malicious requests can be declined. Users can also prevent direct
execution of JavaScript by taking advantage of the capabilities of
the legitimate client.
Fortify's research was released amid reports that Hoffman's
Jikto tool had been snatched up by other researchers and leaked
onto the Internet.
Jikto works by exploiting a XSS flaw on a given Web site and
then silently installing itself on a user's PC. It can then operate
in one of two modes. In one mode, Jikto crawls a specific Web site
in much the same way that a Web application scanner would, looking
for common vulnerabilities, such as XSS or SQL injection. It then
reports the results to whatever machine is controlling it. In the
other mode Jikto calls home to the controlling PC and tells it that
it has installed itself on a new machine, and then awaits further
instructions from the controller.
Jikto's master controller has the ability to keep track of which
infected machines are online and active at any given time, enabling
an attacker to wait until a PC is idle before sending instructions
to a bot. This could help the attacker avoid alerting the user of
the infected machine to Jikto's presence. All of this is done in
pure JavaScript and, Hoffman said, helped along by the huge
explosion in the number of AJAX-based applications on the Web in
the last year or so. AJAX gives users -- and attackers -- direct
access to the APIs in a Web application, which can be quite useful
if you're trying to send malicious commands to back-end
applications.
According to published reports, a Shmoocon attendee downloaded a
copy of the code during Hoffman's presentation and posted it on his
Web site. The attendee removed it at Hoffman's request, but not
before others made their own copies. The code is now available on
the Internet, leaving some security experts worried that the bad
guys could start making use of it.
SearchSecurity.com Executive Editor Dennis Fisher contributed
to this report.