Web 2.0 AJAX-style Web Applications Vulnerable To JavaScript Hijacking

Fortify Software released today a Web 2.0/AJAX Security whitepaper that affect almost all JavaScript Frameworks and libraries. Fortify experts analysed 12 popular AJAX Frameworks, including 4 server-integrated toolkits - Direct Web Remoting (DWR), Microsoft ASP.NET Ajax (a.k.a. Atlas), xajax and Google Web Toolkit (GWT) - and 8 purely client-side libraries - Prototype, Script.aculo.us, Dojo, Moo.fx, […]

Fortify Software released today a Web 2.0/AJAX Security whitepaper that affect almost all JavaScript Frameworks and libraries. Fortify experts analysed 12 popular AJAX Frameworks, including 4 server-integrated toolkits - Direct Web Remoting (DWR), Microsoft ASP.NET Ajax (a.k.a. Atlas), xajax and Google Web Toolkit (GWT) - and 8 purely client-side libraries - Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Yahoo! UI, Rico, and MochiKit. Among all frameworks tested they found that only DWR 2.0 implements mechanisms for preventing JavaScript Hijacking. I was trying to have a conversation with Fortify experts during the weekend, but the time was so short and anyway you can find below the press release and PDF whitepaper can be downloaded from Fortify's Advisory.

PALO ALTO, Calif., April 2, 2007 - Fortify Software, the leading provider of security products that help companies identify, manage and remediate software vulnerabilities, today announced that its Security Research Group has documented the first major vulnerability associated specifically with Web 2.0 and AJAX-style software. Termed JavaScript Hijacking, the vulnerability allows an attacker to steal critical data by emulating unsuspecting users. To combat this issue, Fortify has released an in-depth security advisory that details this vulnerability, how enterprises can determine if they are vulnerable and how they can fix the issue.

Fortify Software

Download: Fortify Software’s Web 2.0 Advisory

Source:→ Ajax magazine

Web 2.0, Ajax, Web, Applications, Vulnerable, Vulnerability, Javascript, Hijacking, Fortify Software, Advisory, Note