First Major Vulnerability of Web 2.0 Apps Documented

Fortify Software's Security Research Group, has acknowledged the foremost flaw related exclusively with Web 2.0 and AJAX-type packages.

A JavaScript Hijacking assault may pose threat for several Internet programs written in popular AJAX technique of programming.

According to Fortify "JavaScript Hijacking seems to be a universal problem". Moreover, the Direct Web Remoting (DWR) 2.0 project that permits JavaScript in the web browser to connect with Java classes on the server is resistant to the strike, though patches can be obtained for other AJAX frameworks.

Fortify stated that the "ubiquitous and serious weakness" is prevalent in nearly all AJAX frameworks, and thus in several Web 2.0 software. It lets an intruder to impersonate as the program's user and taps information transferred through JavaScript instructions, utilizing the <script> mark to dodge the 'same source system' that the Internet browsers imposed.

Besides, though these applications might not utilize the weak AJAX frameworks straightaway, they could be vulnerable if AJAX parts that employ JavaScript to convey data is contained in them.

Fortify's Web 2.0 Security Advisory, is supposed to assist software developers and organizations to comprehend and repair the existing trouble. The organization recommended, "a bilateral move that lets applications reject malicious software, and stops hackers from instantly running the yielded JavaScript applications."

The weakness exposes companies to malicious software that provide hackers with unauthorized access to copyrighted data. JavaScript Hijacking permits a hacker to impersonate a user retrieving the Web 2.0 application, and scan classified data sent connecting the application and the browser via JavaScript. Afterward hackers can trade commodities, buy and sell stocks, fix firewalls for a firm's network or access and control consumer database and fiscal data.

WhiteHat Security's CTO and a freelance security investigator, Jeremiah Grossman together with other security investigators have already proven that the weakness is feasible only in special cases.

"Latest technology will surely usher in new weaknesses, therefore developers should be careful during their development phase so they can ensure safety while innovating," Grossman asserted in PC World's report dated April 3, 2007. "Software Developers and other people using the Web 2.0 application should earnestly take up this matter and try to settle it promptly."

Related article: FIRST Reveals Staggering Rise in Computer Hacking in China

» SPAMfighter News - 4/12/2007