Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on April 2, 2007 2:49 PM.

The previous post in this blog was Turkcell starts world's largest mobile signature rollout...it's secure but can be phished.

The next post in this blog is New form of attack: XSS and CSRF.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Turkcell starts world's largest mobile signature rollout...it's secure but can be phished | Main | New form of attack: XSS and CSRF »

Hijacking Javascript

Bruce Schneier today has a blog on hijacking javascript that is very interesting. In it, he references a recent paper published by Fortifysoftware.

The paper describes what javascript hijacking is as follows:
"Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. The Same Origin Policy requires that, in order for JavaScript to access the contents of a Web page, both the JavaScript and the Web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, culls through it, and communicates it back to the attacker."

"JavaScript Hijacking allows an attacker to bypass the Same Origin Policy in the case that a Web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website. Even though a malicious site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport mechanism, they are often vulnerable while traditional Web applications are not."

As Bruce says in his blog "Like so many of these sorts of vulnerabilities, preventing the class of attacks is easy. In many cases it requires just a few additional lines of code. And like so many software security problems, programmers need to understand the security implications of their work so that they can mitigate the risks they face. But my guess is that Javascript hijacking won't be solved so easily, because programmers don't understand the security implications of their work and won't prevent the attacks."

I agree. I think that this type of attack will become common over the next year as more enterprises and individuals take on web 2.0 type applications using Ajax. The risk to the enterprise is the loss of sensitive data, some of which may be identity data.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on April 2, 2007 2:49 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/185

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)