 "Fortify Identifies Specific Web 2.0 Vulnerability")
Security products provider, Fortify Software’s Security Research Group, has documented the first major vulnerability associated specifically with Web 2.0 and AJAX-style software.
Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue.
As part of the company’s work, the 12 most popular AJAX frameworks, including those from Google, Microsoft, Yahoo! and the open source Community were analyzed and Fortify determined that among them, only Direct Web Remoting (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations. Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data.
The vulnerability opens businesses up to malware that can allow an attacker to access proprietary information. JavaScript Hijacking allows an attacker to pose as the user accessing the Web 2.0 application. Once the attacker successfully emulates the victim, they can read sensitive data transmitted between the application and the browser that uses JavaScript as a transport mechanism. These attackers can then buy and sell goods, trade stocks, adjust security settings for an enterprise network or access and manipulate customer, inventory and financial information.
Although Web 2.0 functionality has already seen mainstream use by consumers (e.g. social networking sites like MySpace), enterprises are recognizing the growing value of pushing applications to the Web, and are rapidly deploying frameworks to facilitate quick access to information, improve application performance and encourage collaboration. According to a March 2007 McKinsey survey, the industries most likely to adopt Web 2.0 technologies are retail, high tech, telecommunications, finance and pharmaceuticals.
Brian Chess, Fortify Software’s co-founder and Chief Scientist said, “With recent surveys from McKinsey indicating that almost 75 percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now. Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don’t use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings.”