Fortify Notice About Web 2.0 Vulnerability

The folks at Fortify have released an advisory about “Web 2.0” vulnerabilities based on JavaScript manipulation.  Apparently it is possible to override the standard JavaScript Object() constructor and use this modification to potentially break JavaScript’s access control rules specifying what data should be available to what scripts across domains and hosts.  This is similar to things that Jeremiah Grossman identified when testing the security of GMail, although his hack was based on redefining the JavaScript definition of the Array() constructor.  Check out the Fortify advisory here.

How do you help avoid being vulnerable to this type of vulnerability?   There are a couple of things you can do to help minimize your exposure:

  • First and foremost be very careful about the sorts of data you serve up to Web 2.0 requesters that is in automatically-parseable JavaScript format.  This includes returning pure JSON data.  Because JavaScript can be subverted by redefining core constructs like Object() and Array() constructors this data may be more widely accessible in mashup pages than you would expect.  Be careful not to return anything you would not want appearing unfiltered in a call to eval() or in between <script> tags.
  • URLs that render parseable JavaScript should be “hard” to get to.  Forcing access via POST requests rather than GET requests helps somewhat.  Making the URL unpredictable and hard for attackers to guess can also help.
  • Finally, checking referrers can help although this can be easy for attackers to spoof in certain cases.  Do your best to make sure that sensitive JavaScript information is being served up as a result of a legitimate sequence of page and asset requests.

See my AJAX World presentation on Web 2.0 Security for more information.  I discussed this class of vulnerability but only presented examples of Array() constructor overriding because Fortify hadn’t released their advisory publicly yet.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *