Results 1 to 5 of 5

Thread: Ajax vulnerability: How 'bout ZCS?

  1. #1
    mcevoys is offline Special Member
    Join Date
    Apr 2006
    Location
    Ridgefield, CT
    Posts
    152
    Rep Power
    8

    Default Ajax vulnerability: How 'bout ZCS?

    Web 2.0 is vulnerable to attack

    Fortify Software, which said it discovered the new class of vulnerability and has named it "JavaScript hijacking", said that almost all the major Ajax toolkits have been found vulnerable.

    ...

    "JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups," Chess writes in a white paper published today.

    And Fortify now claims that attackers can exploit this loophole to log into Ajax applications pretending to be their victims, and then receive any data that this application would ordinarily serve up using JSON.

    In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker.


    Any ideas if there are security implications for ZCS?

  2. #2
    JoshuaPrismon is offline Zimlet Guru & Moderator
    Join Date
    Nov 2005
    Posts
    477
    Rep Power
    9

    Default

    Quote Originally Posted by mcevoys View Post
    Web 2.0 is vulnerable to attack

    Fortify Software, which said it discovered the new class of vulnerability and has named it "JavaScript hijacking", said that almost all the major Ajax toolkits have been found vulnerable.

    ...

    "JavaScript Hijacking allows an unauthorized attacker to read sensitive data from a vulnerable application using a technique similar to the one commonly used to create mashups," Chess writes in a white paper published today.

    And Fortify now claims that attackers can exploit this loophole to log into Ajax applications pretending to be their victims, and then receive any data that this application would ordinarily serve up using JSON.

    In an example attack, a victim who has already authenticated themselves to an Ajax application, and has the login cookie in their browser, is persuaded to visit the attacker's web site. This web site contains JavaScript code that makes calls to the Ajax app. Data received from the app is sent to the attacker.


    Any ideas if there are security implications for ZCS?
    Fortify has a long history of doing everything they can to scare the bejezus out of people so that they can get new big huge customers. I've dealt with them before, and each time got a taste left in my mouth much like the taste I got when dealing with Arthur Anderson before they went under.

    This attack is basically your standard cross site request forging, plus a little tweaking of the javascript to make things better.

    The problem here isn't with the Ajax community, so much as it is with the vendors, and the JavaScript spec. While Firefox and IE properly block client scripts from accessing data directly if they are from different sites, it's still possible to override the JavaScript Object definition (JavaScript is prototyped base rather then class based, which means that you can dynamically add methods to classes in Javascript) to bypass this restriction. However, the <script> tag still have to be used from inside of the secure context to begin with, and bogus JSON has to be passed from the script to be able to access the secure information.

    Is Zimbra exposed? I am not sure, but at least one of the security mechanisms mentioned in the paper (application specific authentication cookies) is already used in Zimbra for authentication. (This is why it's possible to have two separate windows up in Zimbra on the same browser logged in as two separate users).

    The Zimlet mechanism certainly allows for some interesting (and probably dangerous security wise) extensions directly into the Zimbra source code, but most of the Zimbra code does XHR directly rather then script (from my own trivial viewing of the code).

  3. #3
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    We have done a little investigating on this issue with our toolkit, to see the impact, if any.

    The kicker would be to get the auth token they'd need to hijack the domain/site that mail is hosed on since the browser will only send to the site where the cookie was set.

    There's really only one way to get the auth token-
    You need a authorized username and password.

    If your site is hijacked, I think you have bigger worries, then just the toolkit

  4. #4
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    A more detailed response can be found on our blog:

    http://www.zimbra.com/blog/archives/...hijacking.html
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  5. #5
    mcevoys is offline Special Member
    Join Date
    Apr 2006
    Location
    Ridgefield, CT
    Posts
    152
    Rep Power
    8

    Default

    Quote Originally Posted by KevinH View Post
    A more detailed response can be found on our blog:

    http://www.zimbra.com/blog/archives/...hijacking.html
    Nicely played!

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Trouble Sending mail - All Messages deferred!
    By SiteDiscovery in forum Administrators
    Replies: 7
    Last Post: 09-03-2009, 04:52 AM
  2. ZCS 3.2 Beta Available
    By KevinH in forum Announcements
    Replies: 31
    Last Post: 07-07-2006, 03:46 PM
  3. ZCS 3.1.2 Released
    By KevinH in forum Announcements
    Replies: 8
    Last Post: 06-01-2006, 08:36 PM
  4. Using zcs Ajax without JSP?
    By Chouser in forum Developers
    Replies: 2
    Last Post: 10-04-2005, 08:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •