Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web 2.0 Under Siege

Posted by Hemos on from the in-dark-territory dept.

Robert writes "Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the 'Web 2.0' movement. Fortify Software, which said it discovered the new class of vulnerability and has named it 'JavaScript hijacking', said that almost all the major Ajax toolkits have been found vulnerable. 'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'"

27 of 170 comments (clear)

  1. Vocabulary Fix by Nerdfest · · Score: 3, Funny

    Sadly, this is likely to do very little to stop the use of the word 'mashups'.

    1. Re:Vocabulary Fix by MikeFats · · Score: 3, Funny

      You're right - who doesn't yearn for the good old Pine and Gopher days? I spit on you AJAX and Web 2.0.

  2. Okay, I'll be the first to ask. by Z0mb1eman · · Score: 5, Insightful

    How is this different from cross-site scripting?

    "In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker."

    --
    ClutterMe.com - easiest site creation on the Net. Just click and type.
    1. Re:Okay, I'll be the first to ask. by daviddennis · · Score: 5, Informative

      This is much harder to protect against than normal XSS. Why? Because the Ajax does not have to be executed from within the same domain.

      Let's say someone wants to attack my site, amazing.com. I browse to their site, remarkable.com, and the exploit code gets loaded into my browser. Remarkable.com can post to amazing.com using AJAX and receive replies as though they were authenticated on my site, because the browser automatically sends the amazing.com cookies with it when accessing an amazing.com URL. It appears to the browser fundamentally as though I was in remarkable.com and then typed the amazing.com URL on to the address bar.

      (Of course you could spoof the referer but not from an existing browser session so I think the referer can be relied on in this context.)

      If this is so, then it could truly be a throbbing migraine to fix - you would have to use the HTTP referer field to verify that the site calling your Ajax code was valid.

      Hope that helps. Not the cheeriest news this morning :-(, but hopefully Prototype will have some kind of fix, and life will go on.

      D

    2. Re:Okay, I'll be the first to ask. by Bogtha · · Score: 4, Informative

      No, that kind of thing has always been possible since the very first implementation of JavaScript. If you don't need POST, then you can even do it with plain HTML 2.0, no JavaScript.

      The problem here is that JSON is a subset of JavaScript and so it is automatically parsed under the local domain's security context when it's included in a document with <script>. There's a few tricks to "hide" it even though it's already been parsed and is sitting in memory, I assume these guys have found a way around that.

      --
      Bogtha Bogtha Bogtha
    3. Re:Okay, I'll be the first to ask. by Bogtha · · Score: 4, Informative

      this only affects AJAX APIs / apps that are designed to be called from other domains.

      No, that's the vulnerability. This allows other domains to get the data when the applications don't want to share it.

      Bottom line: Don't expose any data / functionality through an API that allows cross-domain XHR unless you add additional precautions.

      The news here is that the "additional precautions" that most Ajax libraries take are ineffective.

      --
      Bogtha Bogtha Bogtha
  3. Re:XSS by KDan · · Score: 5, Informative

    I think the very subtle difference is that this time the calls are made using site A's public Ajax API, using site A's authentication token, but are made from a script sitting on site B. The javascript calls return with data from site A, which can then be handled by site B. XSS/JS Injection is more about injecting alien javascript onto site A to make site A call site B with the info it wants.

    Daniel

    --
    Carpe Diem
  4. quick! by mastershake_phd · · Score: 5, Funny

    Upgrade to Web 3.0, quick!

    --
    Libertarian Leaning Political Discussion Forum.
  5. Re:XSS by Cigarra · · Score: 3, Informative

    So, how is this different than Javascript injection or Cross-site Scripting? It is not. They just HAD to make it to Slashdot's front page.
    --
    I don't have a sig.
  6. Duh by evil_Tak · · Score: 3, Informative

    This has been around for (web) ages. As stated in the summary, it's used all over the place to create mashups because it's one of the only ways around the security requirement that XmlHttpRequest can only talk to the originating server.

  7. Mashups? by Rob+T+Firefly · · Score: 5, Funny

    'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'
    So back when I made the Beastie Boys rap over the Macarena tune, I was really hacking the Web 2.0? And here I thought I was just assaulting eardrums and good taste...
    --
    Slashdot Burying Stories About Slashdot Media Owned
  8. Where's the problem? by pimterry · · Score: 5, Interesting

    "In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker."

    So essentially it means that the attacker can use the authentication cookie of the user to authenticate them again, and then run javascript with that authentication. But why are AJAX apps storing authentication in cookies? If you need to store authentication (User session id's etc), store them in a variable within the javascript. That'll stay there until a page refresh clears variable status, and how many page refreshes occur with AJAX?

    AJAX apps do not need to (and should not!) store user authentication in cookies. Cookies are useful for keeping a continual session open between pages. AJAX needs no continual session. If they don't use cookies, then other sites cannot use that authentication.

    Where's the problem? (What am i missing?)

    PimTerry

    1. Re:Where's the problem? by TheSunborn · · Score: 3, Informative

      The problem is your statement that "AJAX needs no continual session"

      AJAX really do need sessions. Just think of Gmail. It it a single AJAX session starting when you login, and finishing when you logout or timeout.

      If AJAX don't use sessions, it would have to authenticate itself with username and password with each request it made to the server.

      An better solution might be to let the AJAX application explicit handle sessions by storing the session id, and sending it in the post part of all it's requests. But that might be a problem with the browsers history, because it would then loose your session id, if you used the back button.

  9. Shirky's Law: by sakusha · · Score: 4, Interesting

    "Social Software is stuff that gets spammed."

    The obvious implication of Shirky's Law is that Web 2.0 services are an attractive nuisance and give spammers and other griefers an incentive to game the system. Any new web service has to account for this and build in extremely high levels of security. Obviously nobody is doing this.

  10. Is that title sarcastic? by jeevesbond · · Score: 3, Insightful
    I really hope it is. There's no such thing as Web 2.0, some arse decided to put a label on the natural progression the Web was undertaking anyway. It's annoying when authors write that some entirely new, completely re-written version of the Web is--suprisingly--vulnerable, it's the same old Web, just with some new buzz-words.

    This is a vulnerability that appears only when passing Javascript between client and server. An attacker has to get a potential-victim who is logged-in to a site, that uses the JSON format to exchange data using AJAX, to visit a page they've setup. Then the attacker can intercept the data as it travels between client and server, a man in the middle attack. From the article:

    In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker.

    So it's a known method of attack, but because it's aimed at web sites using AJAX it has to be labelled 'Web 2.0'. Ugh.
    --
    I'm going to transform myself into a mighty hawk. Either that or I'll just go and work at Dixons, haven't decided yet.
  11. We've already seen this before by slashkitty · · Score: 4, Interesting
    It was reported as a problem with the google address book. These guys just generalized the problem because they saw it in many places.

    It actually could be pretty nasty. I think the only solution is for you to pass authenticated tokens through the url or input parameters (not through cookies).

    It might be a good time to use the firefox NoScript plugin if you're not using it already. Only allow javascript on sites you trust.

    --
    -- these are only opinions and they might not be mine.
    1. Re:We've already seen this before by aron_wallaker · · Score: 4, Informative

      There are ways to deal with this. Joe Walker, author of Direct Web Remoting (DWR), talks about the GMail problem and ways to solve it:

      http://getahead.org/blog/joe/2007/01/01/csrf_attac ks_or_how_to_avoid_exposing_your_gmail_contacts.ht ml

      Of course, DWR 2.0 will have all this goodness built in. :)

  12. Re:XSS by KDan · · Score: 4, Informative

    Sorry, I was writing this in a rush. I meant site A executes the code that was injected, retrieves the resulting data from site A, and then sends that data over to site B (or some other location). Typically this "data" is stuff like login information...

    Daniel

    --
    Carpe Diem
  13. The Biggest WTF... by Sam+Legend · · Score: 5, Funny

    The biggest WTF is that somebody is still using javascript. Oops. Wrong site...
    (Captcha: backtotheweb1.0)

  14. Detailed report on this problem (no reg required) by robby_r · · Score: 3, Informative

    All: I encourage all of you to read the detailed report Fortify wrote on this topic. Its written for developers and explains the problem in clear technical detail. http://www.fortifysoftware.com/advisory.jsp (No registration required) Its a long document but I doubt you'll have a lot of questions after reading it. Its refreshing to see reports written like this that don't insult a developer's intelligence.

  15. sigh by CrazyBrett · · Score: 4, Insightful

    This just sounds like a fancy Cross-Site Request Forgery.

    I still maintain that the collective blindness to these security issues comes from our absolute refusal to see HTTP requests as function calls. This is partly due to the silly ideology of the REST crowd.

    Rephrase the situation as follows and see if this doesn't make you pee your pants: "Any site can instruct your browser to execute an arbitrary function on another site using your authentication credentials."

    1. Re:sigh by julesh · · Score: 3, Interesting

      This just sounds like a fancy Cross-Site Request Forgery.

      That'll be because it is. It's basically an observation that CSRF on a site which returns data in JSON format allows the attacker to read the content of the result. Well, duh. Of course that happens. It's one of the reasons I've always opposed JSON as a useful format.

      The other reason is equally bad, but only applies to "mash up" type situations: the coder of the client has to trust the server with access to all data in the client. This makes it useless in many situations.

      The best solution would be to scrap the current security system, make subrequest cookies (including XMLHttpRequests) dependent on both the domain the request goes to *and* the domain of the page that caused the request, and allow XMLHttpRequest to access servers other than the page source. This would both fix CSRF and eliminate the need for JSON. What more do you want? :)

  16. Re:Enough by Anonymous Coward · · Score: 3, Informative

    BBZZZT! I'll bite... "Web 2.0" is a term coined by Tim O'Reilly (of O'Reilly Media; you know, those books with the animals on the cover) as a way of classifying a new generation of web-based applications, a shift from static text and html to interactivity and user-participation in creating the content of a site. The media picked up on it later and gave it buzzwordyness. People who do not have a background in and/or an understanding of technology assume that the media made it up.

  17. vulnerable == cookie && json && !p by Anonymous Coward · · Score: 3, Informative

    An application may be vulnerable if:

    - It uses cookies to store session IDs or other forms of credentials; and
    - It sends data from server to browser using "JSON" notation; and
    - It doesn't require POST data in each request.

    A vulnerable application can be fixed by changing any of these three aspects:

    - Stop using cookies, and instead supply the credentials in the request's URL or POST data.
    - Don't use JSON, or munge your JSON so that it can't be run directly from within a <script> tag; for example, you could put comments around it in the server and strip them off in your client.
    - Have the client send some POST data and check for it on the server (a <script> tag can't send POST data).

    My preference, and the strategy that I've used in Anyterm and Decimail Webmail, is to not use cookies. To me it actually seems easier to put the session ID in the request, rather than to mess around with cookies.

    The advisory, which explains it all but is a bit waffly at the start, is at http://www.fortifysoftware.com/servlet/downloads/p ublic/JavaScript_Hijacking.pdf

  18. i told that EVERY time AJAX - 2.0 hype was posted by unity100 · · Score: 3, Interesting

    If you delegate operations and processes to client side, sooner or later they will be finding more ways to exploit it to an extent that it would be a security risk to offer such client side stuff, making anti-virus, anti-spyware, privacy product manufacturers more agitated about it, and in the end drawing visitors away from your site due to blocks, issues, and fear.

    --
    Read radical news here
  19. XML is so last week. What's really wrong. by Animats · · Score: 5, Informative

    XML is now so last week. Really l33t web apps use JSON, which is yet another way to write S-expressions like those of LISP, but now in Javascript brackets.

    There are several security problems with JSON. First, some web apps parse JSON notation by feeding it into JavaScript's "eval". Now that was dumb. Some JSON support code "filters" the incoming data before the EVAL, but the most popular implementation missed filtering something and left a hole. Second, there's an attack similar to the ones involving redefining XMLHttpRequest: redefining the Array constructor. (Caution, page contains proof of concept exploit.)

    The real problem is JavaScript's excessive dynamism. Because you can redefine objects in one script and have that affect another script from a different source, the language is fundamentally vulnerable. It's not clear how to allow "mashups" and prevent this. The last attempt to fix this problem involved adding restrictions to XMLHttpRequest, but that only plugged some of the holes.

    As a minimum, it's probably desirable to insist in the browser that, on secure pages, all Javascript and data must come from the main page of the domain. No "mashups" with secure pages.

    1. Re:XML is so last week. What's really wrong. by julesh · · Score: 3, Interesting

      There are several security problems with JSON. First, some web apps parse JSON notation by feeding it into JavaScript's "eval". Now that was dumb.

      You don't say. My first thought on hearing about the entire idea was "why would you want to let a foreign server run its code on your page?"

      The real problem is JavaScript's excessive dynamism. Because you can redefine objects in one script and have that affect another script from a different source, the language is fundamentally vulnerable.

      Err... if I don't let foreign code execute (e.g. by doing 'var e = document.createElement("script"); e.src = "http://www.someotherserver.com/potential-security -risk"; document.body.appendChild (e);', which I've seen many scripts do) how can another site redefine the objects in my script? I think the vulnerability is that most JS programmers are too willing to let other sites execute arbitrary code in their own context, which really ain't good.

      The last attempt to fix this problem involved adding restrictions to XMLHttpRequest, but that only plugged some of the holes.

      The fix seems obvious to me:

      * cookies in subrequests must be tied to the domain of the page that initiated the request as well as the domain the request goes to; this reduces the possibility of CSRF. So if www.a.com has a web page that requests data from www.b.com, it will only send a cookie if www.b.com set one in response to a previous request from www.a.com. This applies to SCRIPT tags, to IFRAME tags, to IMG tags, to LINK tags, etc.

      * XMLHttpRequest must not be tied to the same-domain policy. Attempts to access a different domain should result in a request for confirmation from the user for the first time any particular requester/receiver domain pair is used. This means mashups (and other applications that need cross-domain access) can be written that do not need to use JSON. JSON parsing through script insertion or eval() is insecure, and should be deprecated.

      As a minimum, it's probably desirable to insist in the browser that, on secure pages, all Javascript and data must come from the main page of the domain. No "mashups" with secure pages.

      Scripts, yes. I don't see the need to ensure that data originates in the same domain.