Fortify Software Documents Pervasive and Critical Vulnerability in Web 2.0

Advisory details a fix for ubiquitous JavaScript Hijacking vulnerability

that allows an attacker to emulate a Web 2.0 user's identity to

fraudulently access software applications

Apr 02, 2007, 01:00 ET from Fortify Software

    PALO ALTO, Calif., April 2 /PRNewswire/ -- Fortify Software, the
 leading provider of security products that help companies identify, manage
 and remediate software vulnerabilities, today announced that its Security
 Research Group has documented the first major vulnerability associated
 specifically with Web 2.0 and AJAX-style software. Termed JavaScript
 Hijacking, the vulnerability allows an attacker to steal critical data by
 emulating unsuspecting users. To combat this issue, Fortify has released an
 in-depth security advisory that details this vulnerability, how enterprises
 can determine if they are vulnerable and how they can fix the issue. A copy
 of this advisory can be downloaded at
     JavaScript Hijacking appears to be a ubiquitous problem. As part of
 Fortify's work, the 12 most popular AJAX frameworks were analyzed,
 including frameworks from Google, Microsoft, Yahoo! and the open source
 community. Fortify determined that among them, only Direct Web Remoting
 (DWR) 2.0 implements mechanisms for preventing JavaScript Hijacking. The
 rest of the frameworks do not explicitly provide any protection and do not
 mention any security concerns in their documentations. Even if an
 application does not use any of the frameworks listed above, it may be
 vulnerable if it contains AJAX components that use JavaScript as a data
 transfer format for sensitive data.
     "With recent surveys from McKinsey indicating that almost 75 percent of
 enterprises plan on increasing their investment in Web 2.0 technologies, it
 is clear that we need to address the issue now," said Brian Chess, Fortify
 Software's co-founder and Chief Scientist. "Unlike vulnerabilities that are
 tied to a specific application or operating system, there is no single
 vendor to which this issue can be reported and resolved. In fact, many rich
 Web applications don't use any framework at all. As a result, we need to
 educate software developers about the risk that Web 2.0 brings."
     Fortify contacted a large group of security researchers, enterprises
 deploying Web 2.0, industry analysts, software developers and framework
 architects to determine the best course of action. The general consensus
 was that Fortify needed to inform the industry in a timely fashion while
 ensuring a fix was available. Fortify's Web 2.0 Security Advisory was
 written to explain the issues to the business community as well as help
 developers fix the problem at the source code level.
     "There are some worrying estimates of the percentage of websites with
 vulnerabilities, so I think it's good for the industry to focus on greater
 security, particularly in understanding the risks," said Joe Walker, CEO of
 Getahead Ltd. and a developer and consultant working on advanced web
 development techniques like AJAX. "I'm pleased to see that Fortify is
 spending time to explain the problem and investigate the issues."
     Although Web 2.0 functionality has already seen mainstream use by
 consumers (e.g. social networking sites like MySpace), enterprises are
 recognizing the growing value of pushing applications to the Web, and are
 rapidly deploying frameworks to facilitate quick access to information,
 improve application performance and encourage collaboration. According to a
 March 2007 McKinsey survey, the industries most likely to adopt Web 2.0
 technologies are retail, high tech, telecommunications, finance and
     The vulnerability opens businesses up to malware that can allow an
 attacker to access proprietary information. JavaScript Hijacking allows an
 attacker to pose as the user accessing the Web 2.0 application. Once the
 attacker successfully emulates the victim, they can read sensitive data
 transmitted between the application and the browser that uses JavaScript as
 a transport mechanism. These attackers can then buy and sell goods, trade
 stocks, adjust security settings for an enterprise network or access and
 manipulate customer, inventory and financial information.
     Any framework or application that meets these criteria may be at risk
 from JavaScript Hijacking and the developers responsible for these
 frameworks and applications should take immediate measures to prevent the
 vulnerability. Fortify Software advocates a two-pronged approach that
 allows applications to decline malicious requests and prevent attackers
 from directly executing JavaScript the applications generate.
     Security researchers like Jeremiah Grossman have already demonstrated
 the viability of this new class of vulnerability in specific instances.
 "New technology often leads to new risks and opens unforeseen avenues of
 malicious attack. Once understood, developers need to ensure the necessary
 safeguards are in place when they break new ground," said Grossman, CTO of
 WhiteHat Security. "Those responsible for the security of Web 2.0
 deployments need to take this issue seriously and implement the steps
 necessary to resolve the issue before the risk results in an incident."
     About Fortify Software, Inc.
     Fortify Software products protect companies from the threats posed by
 security flaws in business-critical software applications. Its software
 security products -- Fortify SCA, Fortify Manager, Fortify Tracer and
 Fortify Defender -- drive down costs and security risks by automating key
 processes of developing and deploying secure applications. Fortify
 Software's customers include government agencies and FORTUNE 500 companies
 in a wide variety of industries, such as financial services, healthcare,
 e-commerce, telecommunications, publishing, insurance, systems integration
 and information management. The company is backed by a world-class team of
 software security experts and partners. More information is available at

SOURCE Fortify Software