A new vulnerability, termed JavaScript hijacking, was recently identified that specifically affects the rich, interactive interfaces typically associated with Ajax and Web 2.0 applications. The vulnerability, which can occur in any application that uses JavaScript as a data transport mechanism, can compromise the integrity of the vulnerable website, as well as expose users sensitive private information. JavaScript hijacking represents a new and critical attack vector that organizations developing Web 2.0 applications should take immediate steps to avoid. In other words, its hot.
JavaScript Hijacking allows an attacker to bypass the Same Origin Policy (SOP) in web applications that use JavaScript, often in the form of JavaScript Object Notation (JSON), to communicate confidential information. The loophole in the SOP is that it allows JavaScript from any website to be included and executed in the context of any other website. Even though a malicious site cannot directly examine data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript from the vulnerable site. When JavaScript is used to transport data, this gives the attacker access to values stored in JavaScript data structures and can compromise sensitive information.
There are two fundamental ways to defend against JavaScript Hijacking: (1) Decline malicious requests and (2) prevent direct execution of the JavaScript response. For an application to detect malicious requests, every request should include a parameter that is difficult for an attacker to guess, such as adding a session cookie to the request as a parameter. When the server receives a request, it can check to be certain the session cookie matches the value in the request parameter. The second technique for protecting against JavaScript hijacking involves preventing the direct execution of responses that convey information using JavaScript notation. There are many possible approaches to preventing a JavaScript statement from executing, one of which is to include comment characters around the JavaScript that must be removed before the JavaScript is evaluated. This technique is effective because the legitimate client application can take advantage of the fact that it is allowed to modify the data it receives before executing it, while a malicious application can only execute it as-is using a
