Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the ‘Web 2.0’ movement.
Everybody thought that the rise of Ajax as a web programming model would merely exacerbate existing types of attack. Few thought it would give rise to a new class, noted Brian Chess, Fortify’s chief software architect.
Ajax is a way of designing web applications where data is transferred to and from the web site in the background of the page, without the need for a full page refresh when the user interacts with it. It give web apps the feel of desktop apps, and is used in applications such as Gmail.
And this is where the problem lies, according to Chess.
And Fortify now claims that attackers can exploit this loophole to log into Ajax applications pretending to be their victims, and then receive any data that this application would ordinarily serve up using JSON.
If the Ajax app was a webmail service, the attacker could get the contents of an inbox or address book, for example. Indeed, Fortify’s research was based on an earlier finding by Jeremiah Grossman, who found such a vulnerability in Gmail last year.
According to Fortify, 11 of the 12 Ajax frameworks it tested did not have safeguards in place against such attacks. The company did not, however, test the attack against any live applications.
Vulnerable frameworks include: Microsoft ASP.NET AJAX (aka. Atlas), XAJAX and Google Web Toolkit, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit.
These vendors have all been notified, and will include fixes in their libraries in forthcoming releases, according to Chess. The whitepaper is being released to help coders that have manually created their Ajax objects to build in similar safeguards too, he said.
Since Ajax is in its infancy, this is fair less of a problem than, say, buffer overflows were when they first came to light, Chess noted. There are not a lot of legacy Ajax applications that will need to be fixed. So, Fortify wants to publicize its finding as loudly as possible now to nip the problem in the bud.