Ajax Exploit Threatens Web 2.0 Security

In the comments section of my review of Clipperz, CEO of Clipperz Marco Barulli disagreed with my concerns about using third-party libraries for Clipperz, as well as an open-source JavaScript cryptographic library. Fortify Software would seem to agree with me, releasing an advisory this week on a known vulnerability in Web 2.0 sites that rely on Ajax.

Fortify examined 12 popular Ajax frameworks, including the biggies – Google, Microsoft, and Yahoo! – as well as open-source releases. Their verdict? Only Direct Web Remoting (DWR) 2.0 had the goods to prevent JavaScript Hijacking. The others not only don't seem to have protection in place, but also don't mention even the threat of vulnerability in their documentation. As Fortify's press release states, "Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data."

When I look at online apps, I do so with a coder's mindset. And while I'm a big proponent of open source programming, I also know that the more third-party components you include, the more possibility of holes in the software.

The exploit takes advantage of any system using JavaScript as a transport for information. By insinuating itself as an emulated user, JavaScript HIjacking can obtain sensitive information, then allowing the attacker to access the Web 2.0 app. The amout of damage that can be done is related to how much the application does.

There are some who will say that the Fortify advisory doesn't really address anything new, and Fortify's FAQ addresses those comments. This week we've also seen a Windows exploit that not only affects the Internet Explorer browser, but also Firefox. Ajax has made many Web 2.0 apps user-friendly and, let's face it, cool. However, it can't hurt to take a second, third, or even fourth look at security, especially when it comes to protecting users' sensitive data.