Research from ShmooCon: JavaScript flaws peril Web

JavaScript coding errors and Web developers who are inexperienced at working with emerging programming techniques represent serious threats to the security of many Internet sites and the people who visit them, according to malware researchers.

Speaking at the ongoing ShmooCon hacker convention on March 24, Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, detailed what he views as an epidemic problem in today's online world. SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.

The proposed threat is centered on the prevalence of JavaScript errors and insecure use of so-called Web services programming languages such as AJAX -- which combines asynchronous JavaScript with XML -- in many popular Web sites and applications.

In addition to opening holes in Web applications, Hoffman illustrated how JavaScript and AJAX-based tools can be used by hackers to find new vulnerabilities online, and build XSS (cross-site scripting) attacks that can move from one online domain to another, which he cited as a relatively cutting-edge malware development.

"In the last two years, we've seen JavaScript go from stealing cookies to doing key-logging, screen-scraping and all sorts of phishing attacks," Hoffman said. "JavaScript used to be something that was more annoying than anything, but now it's being used in port scanning, to create self-propagating malware, and to steal browser histories."

The researcher, who said that JavaScript vulnerabilities are present in sites maintained by everyone from well-known online retailers to large financial services companies, demonstrated a proof-of-concept exploit based on a JavaScript flaw on CNN.com, and how it could be used to manipulate content on the news site's pages.

The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed, Hoffman said.

Malicious-code writers are using the same techniques to create cross-site scripting threats -- malware attacks that inject code into end-users' browsers via holes in legitimate sites -- to mislead consumers into handing over their passwords and giving hackers access to their personal information, according to the researcher.

PayPal and MySpace.com are among the major Web properties that have been targeted by major JavaScript-based XSS attacks in recent months.

One of the reasons why JavaScript attacks are becoming more popular is because the technology has grown increasingly powerful, especially as browser makers including Microsoft have added greater support for applications built on the language.

In the case of AJAX-bred Web tools -- which communicate information between backend servers and online applications without direct interaction from an end user -- malware authors have found a powerful technology for spreading their work and making off with valuable end-user data, without as much danger of being caught.

Hoffman said that although major Web sites are spending lots of time and effort to drum out these types of vulnerabilities, he said that the size of online companies' operations and the improper use of JavaScript are making life harder on even the largest of players.