Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 08/02/07 web stories

Web 2.0: Twice the fun, twice the vulnerabilities

By William Jackson

LAS VEGAS — Browsers are being used in unexpected ways to support Web 2.0. This means that interactive Web applications are subject to the same vulnerabilities as client-server applications, as well as some new ones that developers might not have considered.

A case in point: Developers are using JavaScript as a transport format for Web data as a means of getting around the Same Origin Policy built into browsers. Browsers use the Same Origin Policy to ensure that one Web site does not use a third-party browser to gather information from a second Web site, said Brian Chess, chief scientist and founder at Fortify Software. Browsers partition information from different sites. But the policy assumes that information will be in HTML. The JavaScript in AJAX gets around that.

“It’s very creative,” Chess said. But it also opens some Web sites to an exploit called JavaScript Hijacking. “It’s an unforeseen consequence of what sounds like a good idea.”

Chess is at this week’s Black Hat Briefings security conference, pounding the drums for secure software development to help prevent such unintended consequences.

The current model of securing information technology systems by constantly adding more tools on the network or on the host is unsustainable because increasingly interactive applications by their nature find ways around or through these static defenses, Chess said. The new model for security should be software that can defend itself, he said.

JavaScript Hijacking, described earlier this year in a paper from researchers at Fortify Software, is an example of failure of traditional security. AJAX (Asynchronous JavaScript and XML) is a tool for writing software to enable the interactive components of Web 2.0, such as mashups, but it introduces security weaknesses.

“An application can be mashup-friendly or it can be secure, but it cannot be both,” the researchers write. “The loophole in the Same Origin Policy is that it allows JavaScript from any Web site to be included and executed in the context of any other Web site. Applications that are built to be used in a mashup sometimes invoke a callback function at the end of each JavaScript message. A callback function makes a JavaScript Hijacking attack a trivial affair.”

More news on related topics: IT Security, Software Applications, Web Strategies



GCN Popup