JavaScript Vulnerability Revealed

JavaScript Hijacking has been proved to be one of the most vicious attacks to any Ajax and JavaScript based website. This type of attack was demonstrated by Jeremiah Grossman, a security expert, on how to hijack Gmail. The scenario is very scary but thankfully, the security flaw was pointed out before any damage has been done to Gmail.

But this is just one Ajax based website. There are thousands maybe millions of Ajax based websites right now that are now exposed to this type of attack and they do no know it yet. Worst, a recent study came out that only 1 out of 12 frameworks in building Ajax based applications provides security and prevention against JavaScript hijacking. Developers have to manually implement security against this type of attacks.

JSON as the Center of it All

JavaScript hijacking use JSON as their point of attack. The reason is pretty simple; since JSON is specifically built for JavaScript, JSON will always be tied up with an Ajax based application. Hence, the JavaScript code could be effectively implemented if the attacks are limited to online applications based on JSON. This is disappointing since JSON provides the flexibility of data markup while being specific only to JavaScript.

This type of attack doesn’t necessarily target the server or tries to steal data. But what it does will practically reveal every information about the website and its users. When embedded JavaScript code is interpreted in the Ajax based online application, it just sits there and observes the functions and data transfers. It’s hijacking the data being transferred and may use the extracted data to the preferences of the attacker.

If frameworks are not able to stop this type of attack, almost every developer who wants to build RIA through frameworks will be exposed to attacks.

Preventing JavaScript Hijacking

Fortunately, there are ways in preventing this type of attack which means only those that really do not care about the security of their website will become vulnerable.

The first prevention technique for JavaScript hijacking is to specify the codes that are allowed to be run in the application. There are still outside sources that should be allowed and they should be specified by developers. This could be done by adding parameters which sets which sources are allowed or not.

Stop and modify is another preventive method developers could use to protect their applications from this type of attack. Developers should prevent codes from automatically running in their application. That means they should have a mechanism to prevent the application from implementation and this could be done by automatically adding a prefix in the code. From this point, developers are now free to modify the code until it becomes safe.

Last but not the least, developers could implement more identifiers. Instead of a general user identifier, session identifiers should be implemented. This will somehow identify the source of attack and will be dealt with immediately.

JavaScript hijacking should be stopped at all costs. It’s not a pretty sight to see a good website go to waste just because of negligence from developers.