Would you still love AJAX if you knew it was insecure?

---

From Bruce Schneier's latest Crypto-Gram:

JavaScript Hijacking

JavaScript hijacking is a new type of eavesdropping attack against Ajax-style Web
applications.  I'm pretty sure it's the first type of attack that specifically
targets Ajax code.  The attack is possible because Web browsers don't protect
JavaScript the same way they protect HTML; if a Web application transfers confidential
data using messages written in JavaScript, in some cases the messages can be read
by an attacker.

The authors show that many popular Ajax programming frameworks do nothing to prevent
JavaScript hijacking.  Some actually *require* a programmer to create a vulnerable
server in order to function.

Like so many of these sorts of vulnerabilities, preventing the class of attacks is
easy.  In many cases, it requires just a few additional lines of code. 
And like so many software security problems, programmers need to understand the security
implications of their work so they can mitigate the risks they face.  But my
guess is that JavaScript hijacking won't be solved so easily, because programmers
don't understand the security implications of their work and won't prevent the attacks.

Paper:

http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf


or http://tinyurl.com/28nzje

Responses to many of the blog comments, by one of the paper's co-authors:

http://www.schneier.com/blog/archives/2007/04/javascript_hija_1.html#c160667


or http://tinyurl.com/yqaoz5

It would be an interesting comparison, to see a rich-client app using "traditional"
calls back to a server (via RMI, .NET Remoting, or some kind of messaging system like
JMS or MSMQ) weighed against an AJAX app, compared on security holes. My gut instinct
tells me that the rich client app would be more secure, but only because using the
binary RPC/messaging toolkit obfuscates the wire traffic enough to dissuade the 'casual'
attacker, not because it's inherently more secure.

By the way, if you're not receiving Crypto-Gram via email or RSS, you are seriously
at risk of writing insecure apps. Think it's all dry and boring security threat
alerts? Hardly--check out the "Second Annual Move-Plot Threat Contest". Then tell
me whether you think it's funny--or just sad--that there will not only be a real winner
to this contest, but that the TSA will, in all likelihood, react the way Bruce predicts,
particularly when the major news outlets report the story and it joins the list of
fears the public already receives on a daily basis.

More people die every day from automobile accidents than from terrorism. Hell, I'd
even bet that on September 11, 2001, more people died from automobile accidents that
day than from the Twin Towers attack. (I don't have the statistics to verify that,
but I imagine it's fairly easy to find out; right or wrong, kudos to whomever takes
the ten or fifteen minutes to research it and send it to me for posting here.)

Ban the automobile! Protect your children from the evil terrorists at Ford, GM, Saturn,
Toyota, DaimlerChryseler, and more! Send in the troops to arrest these fiendish perpetrators
of unnecessary and senseless deaths to innocent American citizens! (And for God's
sake, don't ask how many people die from peanut allergies each year, or we'll lose
Skippy and Reese's Peanut Butter Cups too!)

---

Enterprise consulting, mentoring or instruction. Java, C++, .NET or XML services.
1-day or multi-day workshops available. Contact
me for details.