Slashdot Mirror


Web 2.0 Under Siege

Robert writes "Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the 'Web 2.0' movement. Fortify Software, which said it discovered the new class of vulnerability and has named it 'JavaScript hijacking', said that almost all the major Ajax toolkits have been found vulnerable. 'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'"

3 of 170 comments (clear)

  1. Okay, I'll be the first to ask. by Z0mb1eman · · Score: 5, Insightful

    How is this different from cross-site scripting?

    "In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker."

    --
    ClutterMe.com - easiest site creation on the Net. Just click and type.
  2. Is that title sarcastic? by jeevesbond · · Score: 3, Insightful
    I really hope it is. There's no such thing as Web 2.0, some arse decided to put a label on the natural progression the Web was undertaking anyway. It's annoying when authors write that some entirely new, completely re-written version of the Web is--suprisingly--vulnerable, it's the same old Web, just with some new buzz-words.

    This is a vulnerability that appears only when passing Javascript between client and server. An attacker has to get a potential-victim who is logged-in to a site, that uses the JSON format to exchange data using AJAX, to visit a page they've setup. Then the attacker can intercept the data as it travels between client and server, a man in the middle attack. From the article:

    In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker.

    So it's a known method of attack, but because it's aimed at web sites using AJAX it has to be labelled 'Web 2.0'. Ugh.
    --
    I'm going to transform myself into a mighty hawk. Either that or I'll just go and work at Dixons, haven't decided yet.
  3. sigh by CrazyBrett · · Score: 4, Insightful

    This just sounds like a fancy Cross-Site Request Forgery.

    I still maintain that the collective blindness to these security issues comes from our absolute refusal to see HTTP requests as function calls. This is partly due to the silly ideology of the REST crowd.

    Rephrase the situation as follows and see if this doesn't make you pee your pants: "Any site can instruct your browser to execute an arbitrary function on another site using your authentication credentials."