JavaScript Hijacking
An increasing number of rich Web applications, often called Ajax applications, make use of JavaScript as a data transport mechanism. This paper describes a vulnerability we term JavaScript Hijacking, which allows an unauthorized party to read confidential data contained in JavaScript messages. The attack works by using a tag to circumvent the Same Origin Policy enforced by Web browsers. Traditional Web applications are not vulnerable because they do not use JavaScript as a data transport mechanism.
Although the term “Web 2.0″ does not have a rigorous definition, it is commonly used in at least two ways. First, it refers to Web applications that encourage social interaction or collective contribution for a common good. Second, it refers to Web programming techniques that lead to a rich and user-friendly interface. These techniques sometimes go by the name Asynchronous JavaScript and XML (Ajax), though many implementations use no XML at all. In some cases, the social and technical aspects of Web 2.0 come together in the form of mashups: Web applications that are built by assembling pieces from multiple independent Web applications.
This paper describes a vulnerability we term JavaScript Hijacking. It is an attack against the data transport mechanism used by many rich Web applications. JavaScript Hijacking allows an unauthorized attacker to read confidential data from a vulnerable application using a technique similar to the one commonly used to create mashups. The vulnerability is already being discussed in some circles, but the majority of Web programmers are not aware that the problem exists, and even fewer security teams understand how widespread it is.
…
Website: www.fortify.com | Filesize: 348kb
No of Page(s): 10
Click here to download JavaScript Hijacking.
Related Tutorial
Comments
Leave a Reply