Bringing certain content-updating behaviors to web pages without reloading them has been a key piece of the 'Web 2.0' online application meme; it now appears the criminals could have a way to break them open too.
Part of Hoffman's source code for Jikto has been released on the Internet. Fortify took aim at several frameworks in their analysis of the possibility for a JavaScript threat to exploit them:
We analyzed 12 popular Ajax frameworks, including 4 server-integrated toolkits - Direct Web Remoting (DWR), Microsoft ASP.NET Ajax (a.k.a. Atlas), xajax and Google Web Toolkit (GWT) -- and 8 purely client-side libraries -- Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit. We determined that among them only DWR 2.0 implements mechanisms for preventing JavaScript Hijacking.
JavaScript transports data, making it possible that an unauthorized application could read the data going to a legitimate site. If that data includes confidential information, then a hijack can bring that data to another party.
The concept was demonstrated quite painfully to Google early in 2006. Jeremiah Grossman detailed a
Found an error or have a suggestion? Let us know and we'll review it.
Suggest a Correction
No comments yet. Be the first to comment!