Critical flaw in Web 2.0, AJAX

Fortify Software warns in a new report that digital outlaws could use JavaScript to snatch data from Web 2.0 and AJAX-based applications if they're not properly secured.

Researchers like Billy Hoffman of Atlanta-based SPI Dynamics have warned for some time that digital outlaws have an easy target in applications based on Web 2.0 and Asynchronous JavaScript and XML (AJAX). At the recent Shmoocon hacker conference, Hoffman demonstrated how JavaScript-rich programs can be compromised with a tool he created called Jikto.

Now, amid reports that Jikto's code has been leaked onto the Internet, Fortify Software has released a new report describing a major flaw in Web 2.0 and AJAX software.

The technology is susceptible to JavaScript hijacking, in which an attacker can steal critical data by emulating unsuspecting users, Fortify said.

Researchers analysed the 12 most popular AJAX frameworks -- including programs from Google, Microsoft, Yahoo! and the open source community -- and found that among them, only Direct Web Remoting (DWR) 2.0 takes steps to prevent JavaScript hijacking.

Hackers broaden reach of cross-site scripting attacks: An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.

"The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations," Fortify said in its report. "Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data."

Brian Chess, Fortify's co-founder and chief scientist, said that with recent surveys indicating that almost 75% of enterprises plan to increase their investment in Web 2.0 technologies, it is clear that the information security community must address the issue now.

"Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved," Chess said in a statement. "In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."

Though Web 2.0 functionality is already incorporated into social networking sites like MySpace, the corporate world has a growing appetite for frameworks that facilitate quick access to information, improve application performance and encourage collaboration, Chess said. According to a March 2007 McKinsey survey, he noted, the industries most likely to adopt Web 2.0 technologies are retail, high tech, telecommunications, finance and pharmaceuticals.

JavaScript hijacking lets an attacker pose as the user accessing the Web 2.0 application, the Fortify report said, adding, "Once the attacker successfully emulates the victim, they can read sensitive data transmitted between the application and the browser that uses JavaScript as a transport mechanism. These attackers can then buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information."

To alleviate the threat, Fortify recommends to program Web 2.0 applications with a hard-to-guess parameter in each request so malicious requests can be declined. Users can also prevent direct execution of JavaScript by taking advantage of the capabilities of the legitimate client.

Fortify's research was released amid reports that Hoffman's Jikto tool had been snatched up by other researchers and leaked onto the Internet.

Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.

Jikto's master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto's presence. All of this is done in pure JavaScript and, Hoffman said, helped along by the huge explosion in the number of AJAX-based applications on the Web in the last year or so. AJAX gives users -- and attackers -- direct access to the APIs in a Web application, which can be quite useful if you're trying to send malicious commands to back-end applications.

According to published reports, a Shmoocon attendee downloaded a copy of the code during Hoffman's presentation and posted it on his Web site. The attendee removed it at Hoffman's request, but not before others made their own copies. The code is now available on the Internet, leaving some security experts worried that the bad guys could start making use of it. Executive Editor Dennis Fisher contributed to this report.

Read more on IT risk management