JavaScript Security Vulnerabilities: Weakness in Web 2.0

A glaring spotlight is now focused on vulnerabilities inherent in a key enabler of the new breed of dynamic Web pages. Demonstrations at last week's annual Black Hat cybersecurity conference employed Web-page-embedded JavaScript to attack corporate servers.

At the show, Billy Hoffman, lead engineer at Web security specialist SPI Dynamics, showed how AJAX attacks could be designed to break into and manipulate online stock trading accounts. (Read more on this attack.)And Jeremiah Grossman, CTO of WhiteHat Security, showed how an AJAX attack could be spread using MySpace as a means of sending an invasive program deep into an enterprise’s internal network.

Legions of Web app developers are now using the technology combo known as AJAX to improve the responsiveness of Web pages by automating the exchange of information between browsers and servers. Although it's typically thought of as shorthand for "Asynchronous JavaScript and XML," AJAX actually combines XHTML and CSS for standards-based presentation, the Document Object Model for dynamic display and interaction, XML and XSLT for data interchange and manipulation, the XMLHttpRequest object for asynchronous data retrieval, and JavaScript to bind it all together.

The attacks demoed by Hoffman and Grossman didn't show new a vulnerability, says Dr. Brian Chess, chief scientist at Palo Alto, CA-based security vendor Fortify Software. But they did find "a new and creative way of exploiting" an inherent flaw in JavaScript.

"JavaScript is just very hard to secure," Chess says, "and AJAX proponents are not acknowledging the problem. I understand that they're still trying to win people over to their camp. So there's a tendency to say, hey, jump in the water, everything's great. But I'm afraid that's not going to work out."

Attackers can use JavaScript to exploit a common flaw known as cross-site scripting (XSS), Chess says. XSS attacks seek to inject code onto legitimate Web sites to mislead users and steal their information.

"We need to stop teaching people to make use of these new Web technologies while pretending that there are no security considerations. This is an old problem; people are saying, ‘This is a new technology and we've learned from all of those security mistakes of the past. Now we just don't need to think about it.’ But that's crazy. With new technologies come a new set of threats."

Dr. David Wagner, professor of computer science at UC Berkeley doesn't see the demoed attacks as especially alarming. "It looks like the impact is just that hackers can perform reconnaissance and reconnoitering against your intranet," he says, "but this doesn't provide any new way to actually attack internal hosts (except possibly in some special cases).  If that is correct, then this vulnerability isn't really all that big a deal."

However, the security problems associated with JavaScript concern him greatly. "JavaScript is bad news for security," he says. "The security model was never very well thought-out. The flaws in it are by design, and I don't know of any good way to fix them without throwing it away and starting over."

"A key problem with JavaScript is that it was designed so that its scripts can do anything the user can do," Wagner explains. For example, it can pretend the user clicked on a particular link, or typed in some text into a Web page.

"There are a lot of things we might like to allow a user to do that it's not a good idea to let a JavaScript script of unknown provenance do," Wagner says. "Unfortunately, JavaScript doesn't provide any good way to enforce such a distinction."

What should AJAX developers do?

"As a Web 2.0 programmer—an AJAX programmer—you need to both protect the user and not trust the user," says Chess. "I know that's counterintuitive, but think about it; the user can be both an attacker and a victim. Doing both of those things at once is a bit of a juggling act, but necessary from a security standpoint." 

"Developers need to be aware of security and take responsibility for their applications," Wagner advises. "One of the benefits of new Web technologies has been to make Web programming accessible to a much broader interface—but that is a double-edged sword, because many of these new Web developers aren't necessarily trained in or fully aware of security issues. As software developers, it behooves us to think proactively about how our code might be misused."

About the Author

John K. Waters is a freelance writer based in Silicon Valley. He can be reached at [email protected].