Web 2.0 Under Siege

Robert writes "Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the 'Web 2.0' movement. Fortify Software, which said it discovered the new class of vulnerability and has named it 'JavaScript hijacking', said that almost all the major Ajax toolkits have been found vulnerable. 'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'"

Re:XSS

[KDan]

I think the very subtle difference is that this time the calls are made using site A's public Ajax API, using site A's authentication token, but are made from a script sitting on site B. The javascript calls return with data from site A, which can then be handled by site B. XSS/JS Injection is more about injecting alien javascript onto site A to make site A call site B with the info it wants.

Daniel

Re:XSS

[Cigarra]

So, how is this different than Javascript injection or Cross-site Scripting?

It is not. They just HAD to make it to Slashdot's front page.

Duh

[evil_Tak]

This has been around for (web) ages. As stated in the summary, it's used all over the place to create mashups because it's one of the only ways around the security requirement that XmlHttpRequest can only talk to the originating server.

Re:Okay, I'll be the first to ask.

[daviddennis]

This is much harder to protect against than normal XSS. Why? Because the Ajax does not have to be executed from within the same domain.

Let's say someone wants to attack my site, amazing.com. I browse to their site, remarkable.com, and the exploit code gets loaded into my browser. Remarkable.com can post to amazing.com using AJAX and receive replies as though they were authenticated on my site, because the browser automatically sends the amazing.com cookies with it when accessing an amazing.com URL. It appears to the browser fundamentally as though I was in remarkable.com and then typed the amazing.com URL on to the address bar.

(Of course you could spoof the referer but not from an existing browser session so I think the referer can be relied on in this context.)

If this is so, then it could truly be a throbbing migraine to fix - you would have to use the HTTP referer field to verify that the site calling your Ajax code was valid.

Hope that helps. Not the cheeriest news this morning :-(, but hopefully Prototype will have some kind of fix, and life will go on.

D

Re:Okay, I'll be the first to ask.

[Anonymous Coward]

My thought exactly. More specifically, this sounds like a CSRF attack ( http://en.wikipedia.org/wiki/Cross-site_request_fo rgery [wikipedia.org] ).

Such an attack previously succeeded on Digg (in the form of a white-hat demonstration of a self-Digging website), but that vulnerability has already been patched. The description of the demo attack, which they also refer to as "session riding," is available here: http://4diggers.blogspot.com/ [blogspot.com]

Re:XSS

[Anonymous Coward]

This attack seems to be more like CSRF than XSS. You have authenticated to site A, you have a cookie to site A, you navigate to site B. In CSRF, site B performs a hidden form post to update and change information on your account. In this attack, site B performs cross site AJAX calls to steal, update, or change information on your account.

--Anonymous Coward

Re:Okay, I'll be the first to ask.

[Bogtha]

No, that kind of thing has always been possible since the very first implementation of JavaScript. If you don't need POST, then you can even do it with plain HTML 2.0, no JavaScript.

The problem here is that JSON is a subset of JavaScript and so it is automatically parsed under the local domain's security context when it's included in a document with <script>. There's a few tricks to "hide" it even though it's already been parsed and is sitting in memory, I assume these guys have found a way around that.

They discovered this?

[borkus]

I went to an Ajax conference last fall and I'm pretty sure that presenters mentioned this vulnerability in JSON.

All AJAX applications transfer data between the webpage in the client's browser and the server. If the data is in XML, the webpage and the XML have to come from the same server. If it's JSON (JavaScript Object Notation), then they do not have to come from the same server. So, if you are sending data that depends on some kind of authentication - don't use JSON.

The JSON vulnerability comes from having your session open too long. Someone navigates to a bad site and it access the active session on the target site. Shorter session timeouts help with this. You can also do some authentication in the XML request as well. And don't use JSON for data that requires authentication.

In short, if you're using AJAX for data that requires authentication, then you need to take some simple precautions.

Re:Where's the problem?

[TheSunborn]

The problem is your statement that "AJAX needs no continual session"

AJAX really do need sessions. Just think of Gmail. It it a single AJAX session starting when you login, and finishing when you logout or timeout.

If AJAX don't use sessions, it would have to authenticate itself with username and password with each request it made to the server.

An better solution might be to let the AJAX application explicit handle sessions by storing the session id, and sending it in the post part of all it's requests. But that might be a problem with the browsers history, because it would then loose your session id, if you used the back button.

Re:XSS

[KDan]

Sorry, I was writing this in a rush. I meant site A executes the code that was injected, retrieves the resulting data from site A, and then sends that data over to site B (or some other location). Typically this "data" is stuff like login information...

Daniel

Re:Where's the problem?

[ergo98]

But why are AJAX apps storing authentication in cookies? If you need to store authentication (User session id's etc), store them in a variable within the javascript.

Store then in javascript? Huh?

It is completely normal -- across the entire industry -- to store session identifiers in cookies. There is nothing special or AJAXy about that.

Re:We've already seen this before

[aron_wallaker]

There are ways to deal with this. Joe Walker, author of Direct Web Remoting (DWR), talks about the GMail problem and ways to solve it:

http://getahead.org/blog/joe/2007/01/01/csrf_attac ks_or_how_to_avoid_exposing_your_gmail_contacts.ht ml [getahead.org]

Of course, DWR 2.0 will have all this goodness built in. :)

Detailed report on this problem (no reg required)

[robby_r]

All: I encourage all of you to read the detailed report Fortify wrote on this topic. Its written for developers and explains the problem in clear technical detail. http://www.fortifysoftware.com/advisory.jsp [fortifysoftware.com] (No registration required) Its a long document but I doubt you'll have a lot of questions after reading it. Its refreshing to see reports written like this that don't insult a developer's intelligence.

Re:Enough

[Anonymous Coward]

BBZZZT! I'll bite... "Web 2.0" is a term coined by Tim O'Reilly (of O'Reilly Media; you know, those books with the animals on the cover) as a way of classifying a new generation of web-based applications, a shift from static text and html to interactivity and user-participation in creating the content of a site. The media picked up on it later and gave it buzzwordyness. People who do not have a background in and/or an understanding of technology assume that the media made it up.

vulnerable == cookie && json && !p

[Anonymous Coward]

An application may be vulnerable if:

- It uses cookies to store session IDs or other forms of credentials; and
- It sends data from server to browser using "JSON" notation; and
- It doesn't require POST data in each request.

A vulnerable application can be fixed by changing any of these three aspects:

- Stop using cookies, and instead supply the credentials in the request's URL or POST data.
- Don't use JSON, or munge your JSON so that it can't be run directly from within a <script> tag; for example, you could put comments around it in the server and strip them off in your client.
- Have the client send some POST data and check for it on the server (a <script> tag can't send POST data).

My preference, and the strategy that I've used in Anyterm and Decimail Webmail, is to not use cookies. To me it actually seems easier to put the session ID in the request, rather than to mess around with cookies.

The advisory, which explains it all but is a bit waffly at the start, is at http://www.fortifysoftware.com/servlet/downloads/p ublic/JavaScript_Hijacking.pdf [fortifysoftware.com]

Re:They discovered this?

[Anonymous Coward]

All AJAX applications transfer data between the webpage in the client's browser and the server. If the data is in XML, the webpage and the XML have to come from the same server. If it's JSON (JavaScript Object Notation), then they do not have to come from the same server. So, if you are sending data that depends on some kind of authentication - don't use JSON.

Uhh pardon? If I return json or I return XML, or I return pain text, or I return some format of my choice, the server requesting the script will still get the result from my server, just as if you POST'ed to a form on my site. This is the same issue as a cross site request forgery, the evil domain you are visiting is relying on the request to be validated since the cookies are set on the clients machine. All they are saying is that data returned from a ajax-script can be viewed using the same CSRF attack methods, this is NOTHING NEW. If the script requires request tokens (anything that would return sensitive information, or modify user accounts etc.), DON'T store them in cookies, or you are just as vulnerable to a "standard" CSRF attack, generate the tokens for the page and pass them in post/get.

XML is so last week. What's really wrong.

[Animats]

XML is now so last week. Really l33t web apps use JSON, which is yet another way to write S-expressions like those of LISP, but now in Javascript brackets.

There are several security problems with JSON. First, some web apps parse JSON notation by feeding it into JavaScript's "eval" [json.org]. Now that was dumb. Some JSON support code "filters" the incoming data before the EVAL, but the most popular implementation missed filtering something and left a hole. Second, there's an attack similar to the ones involving redefining XMLHttpRequest: redefining the Array constructor. [getahead.org] (Caution, page contains proof of concept exploit.)

The real problem is JavaScript's excessive dynamism. Because you can redefine objects in one script and have that affect another script from a different source, the language is fundamentally vulnerable. It's not clear how to allow "mashups" and prevent this. The last attempt to fix this problem involved adding restrictions to XMLHttpRequest, but that only plugged some of the holes.

As a minimum, it's probably desirable to insist in the browser that, on secure pages, all Javascript and data must come from the main page of the domain. No "mashups" with secure pages.

Re:Okay, I'll be the first to ask.

[Bogtha]

this only affects AJAX APIs / apps that are designed to be called from other domains.

No, that's the vulnerability. This allows other domains to get the data when the applications don't want to share it.

Bottom line: Don't expose any data / functionality through an API that allows cross-domain XHR unless you add additional precautions.

The news here is that the "additional precautions" that most Ajax libraries take are ineffective.

Re:Okay, I'll be the first to ask.

[uss_valiant]

Just read the original advisory [fortifysoftware.com]. TFA didn't link to it.

You're right, they're right. It's from March 12th, 2007 and it's a different issue than the one I mentioned before.
Putting the JSON data into comment tags or Google's while() approach sound like good defense mechanisms.
Also, using auth tokens in addition to cookies can defeat most scenarios as well (just ensure not to return a valid auth token in any replies that don't require a valid auth token already).

Re:Shirky's Law:

[sakusha]

I would consider Facebook's level of security pretty high.

Riiight. Facebook is absolutely secure and immune from security problems [digg.com] and spam [wordpress.com] because of their preventative measures.