Monday, April 02, 2007

JavaScript Hijacking

Update: Robert Lemos (SecurityFocus) followed up as well, "Developers warned to secure AJAX design"

Update
: Joris Evers from C-Net blogged the story.

Brian Chess (Chief Scientist) from Fortify recently invited me to peer review an interesting new white paper entitled “JavaScript Hijacking” prior to its release. Private peer review is something I do with some regularity to help people out and in return I get to see what others are working on ahead of time. Its cool exchange! Plus this work extends some of my earlier research into JavaScript object overwriting (Gmail example) so I have the background for it. Specifically as a result of an AJAX-enabled website, when sensitive data is returned as a JavaScript object thats susceptible to CSRF attacks.

The paper digs into the various AJAX development frameworks, how they defend against CSRF attacks, or don’t, possible solutions, risks, advice etc. Brian Chess, Yekaterina Tsipenyuk O'Neil, Jacob West did an good job researching this, consulted with the experts, and presented the technical bits in an easy to understand fashion. For those already up to speed on the bleeding-edge web attacks, you’re not going to find anything “new”. This is more for developer and organizations that want something simple to understand what’s going on and what they can do about it. Good stuff.

6 comments:

Thomas Ptacek said...

It doesn't bug you that their marketing department totally ran away with it, presenting it as "the first security vulnerability discovered in Web 2.0"?

Jordan said...

I think more valuable than the descriptions of the general vulnerability was the research into the AJAX frameworks and how each of them was or wasn't vulnerable out of the box. That was quite useful.

Thomas: It doesn't bother me that much, and believe me, I get pretty peeved at bad PR announcements since my inbox is full of them. Every now and then it's worth calling folks out when they're trying to shovel crap and call it worthwhile (*cough* Symantec *cough*).

In this case though, I think it's a fair assessment that they categorize this as the first vulnerability specific to AJAX applications. That they're just generalizing Jeremiah's previous work means that yeah, the vulnerability itself isn't /new/, but as I said above, the discussions of existing frameworks was useful, and the work to generalize the discussion on the vulns and defenses did add to the discussion.

Plus, if this gets the word out to the where it matters most--AJAX developers--then so much the better.

Jeremiah Grossman said...

@thomas: less and less these days actually, I've grown more or less immune to ANY headlines and marketing claims. This was was relatively tame compared to others I've seen. I used to vent some about it, but found it to be a waste of time. I just skim over those parts and hopefully find the few nuggets of information I didn't previously know about. Every once in a while something bugs me, or that I find completely inaccurate, then I'll say something or post about it.


@jordan: That was basically my assessment as well.

Anonymous said...

Schneier blogged about it also:
http://www.schneier.com/blog/archives/2007/04/javascript_hija_1.html

Jeremiah Grossman said...

Oh man. You know when Schneier links to you, then the subject has reacher another level entirely.

zouk said...

Bruce Schneier contribution in security network are great, he really throw light on the topics which currently is being faced by the online community.
http://securiour.com