Research from ShmooCon: JavaScript flaws peril Web

Speaking at the ongoing ShmooCon hacker convention, SPI Dynamics researcher Billy Hoffman painted a dire picture of widespread coding vulnerabilities in many Web sites and online applications

JavaScript coding errors and Web developers who are inexperienced at working with emerging programming techniques represent serious threats to the security of many Internet sites and the people who visit them, according to malware researchers.

Speaking at the ongoing ShmooCon hacker convention on March 24, Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, detailed what he views as an epidemic problem in today's online world. SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.

The proposed threat is centered on the prevalence of JavaScript errors and insecure use of so-called Web services programming languages such as AJAX -- which combines asynchronous JavaScript with XML -- in many popular Web sites and applications.

In addition to opening holes in Web applications, Hoffman illustrated how JavaScript and AJAX-based tools can be used by hackers to find new vulnerabilities online, and build XSS (cross-site scripting) attacks that can move from one online domain to another, which he cited as a relatively cutting-edge malware development.

"In the last two years, we've seen JavaScript go from stealing cookies to doing key-logging, screen-scraping and all sorts of phishing attacks," Hoffman said. "JavaScript used to be something that was more annoying than anything, but now it's being used in port scanning, to create self-propagating malware, and to steal browser histories."

The researcher, who said that JavaScript vulnerabilities are present in sites maintained by everyone from well-known online retailers to large financial services companies, demonstrated a proof-of-concept exploit based on a JavaScript flaw on, and how it could be used to manipulate content on the news site's pages.

The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed, Hoffman said.

Malicious-code writers are using the same techniques to create cross-site scripting threats -- malware attacks that inject code into end-users' browsers via holes in legitimate sites -- to mislead consumers into handing over their passwords and giving hackers access to their personal information, according to the researcher.

PayPal and are among the major Web properties that have been targeted by major JavaScript-based XSS attacks in recent months.

One of the reasons why JavaScript attacks are becoming more popular is because the technology has grown increasingly powerful, especially as browser makers including Microsoft have added greater support for applications built on the language.

In the case of AJAX-bred Web tools -- which communicate information between backend servers and online applications without direct interaction from an end user -- malware authors have found a powerful technology for spreading their work and making off with valuable end-user data, without as much danger of being caught.

Hoffman said that although major Web sites are spending lots of time and effort to drum out these types of vulnerabilities, he said that the size of online companies' operations and the improper use of JavaScript are making life harder on even the largest of players.

The only way to improve the situation is for site operators to undertake more comprehensive efforts to rid their pages of the problems, said Hoffman, and for them to slow down adoption of newer languages, such as AJAX, which appear to outstrip many Web developers' security skills.

"There's nothing you can do as an end-user. Ultimately these are things that are wrong with the sites; [the attacks] are not exploiting the browser. JavaScript is supposed to execute in the browser," Hoffman said. "We need to pressure the people who are responsible for the sites -- but Google, Amazon, and Yahoo are already putting lots of money into this and they still can't fix the problem."

One of the newer wrinkles of AJAX-based attacks is the ability to create XSS threats that are self-propagating, according to Hoffman. Whereas the threats were traditionally designed to sit on only one URL and infect people who visited its location, the attacks can now be linked to Web crawling tools to find other pages that may be exploitable, specifically other sites within the same online domains.

Using such an approach, an attacker could infiltrate businesses' corporate intranets via their public Web sites and gain access to sensitive organizational data, Hoffman said.

Hoffman also demonstrated a new Web-based vulnerability scanning tool he has designed and dubbed Jikto, which uses AJAX to crawl Web sites and online applications for holes, and can be dropped into other people's browsers to use them as unknowing sources for gathering such information.

The SPI researcher said he created the tool to illustrate just how easily hackers can begin using combinations of JavaScript, AJAX, and other Web technologies such as Flash, to carry out attacks and make their work even more potent,

"We're finding that in the last year ... what you can do with JavaScript execution has drastically increased. People need to understand how severe these vulnerabilities are," Hoffman said. "It would be a tragedy for developers to overlook these issues because they're simply unaware of all the bad things that can be done; we're trying to change the direction in the software development and security industries about their understanding of how devastating the implications can be."