Fortify Documents Vulnerability in Web 2.0

Fortify's Security Research Group has documented a major vulnerability associated specifically with Web 2.0 and Ajax-style software

Dark Reading Staff, Dark Reading

April 2, 2007

2 Min Read
Dark Reading logo in a gray background | Dark Reading

PALO ALTO, Calif. -- Fortify Software, the leading provider of security products that help companies identify, manage and remediate software vulnerabilities, today announced that its Security Research Group has documented the first major vulnerability associated specifically with Web 2.0 and Ajax-style software. Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue. A copy of this advisory can be downloaded at www.fortifysoftware.com/advisory.jsp.

JavaScript Hijacking appears to be a ubiquitous problem. As part of Fortify's work, the 12 most popular Ajax frameworks were analyzed, including frameworks from Google (NASDAQ: GOOG), Microsoft (NASDAQ: MSFT), Yahoo! (NASDAQ: YHOO) and the open source community. Fortify determined that among them, only Direct Web Remoting (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations. Even if an application does not use any of the frameworks listed above, it may be vulnerable if it contains AJAX components that use JavaScript as a data transfer format for sensitive data.

"With recent surveys from McKinsey indicating that almost 75 percent of enterprises plan on increasing their investment in Web 2.0 technologies, it is clear that we need to address the issue now," said Brian Chess, Fortify Software's co-founder and Chief Scientist. "Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved. In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."

Fortify Software Inc.

Read more about:

2007

About the Author

Dark Reading Staff

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

See more from Dark Reading Staff
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Screen covered with multi-colored postits, each one with a password written on it.
Identity & Access Management Security
NIST Drops Password Complexity, Mandatory Reset RulesNIST Drops Password Complexity, Mandatory Reset Rules
byEdge Editors
Sep 25, 2024
2 Min Read
CrowdStrike logo on smatphone screen
Cyberattacks & Data Breaches
CrowdStrike Offers Mea Culpa to House CommitteeCrowdStrike Offers Mea Culpa to House Committee
byJai Vijayan, Contributing Writer
Sep 25, 2024
4 Min Read
Black background and white text saying Dark Reading Confidential
Vulnerabilities & Threats
Dark Reading Confidential: Pen-Test Arrests, 5 Years LaterDark Reading Confidential: Pen-Test Arrests, 5 Years Later
byDark Reading Staff
Sep 10, 2024
42 Min Listen
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events