Client-side libraries that Fortify inspected and found to be vulnerable are the Yahoo UI, Prototype, Script.aculo.us, Dojo, Moo.fx, jQuery, Rico and MochiKit.
Of the AJAX frameworks and client-side libraries Fortify inspected, only DWR 2.0 (Direct Web Remoting 2.0) has mechanisms to prevent JavaScript Hijacking.
That isn't surprising, given that Joe Walker, who developed DWR, wrote about the JavaScript Hijacking flaw in early March.
According to Fortify, the other AJAX frameworks don't explicitly provide any protection, nor do their documentation materials mention the vulnerability as a security concern.
Brian Chess, Fortify Software's co-founder and Chief Scientist, told eWEEK that the security firm is getting a ho-hum reaction from some regarding the news, since JavaScript has never been considered to be safe anyway. |
