JavaScript Hijacking

06 Apr 2007

A few readers have asked for my opinion regarding the recent fuss over a "new kind of web-based attack" that's being called JavaScript hijacking:

Security researchers have found what they say is an entirely new kind of web-based attack, and it only targets the Ajax applications so beloved of the Web 2.0 movement.

Although the attack is not at all new, it is worth reading about if you're using Ajax and don't know what CSRF is. Jeremiah's Gmail exploit from early last year is a good example that uses CSRF for information disclosure, which is all this really is.

Being in the web application security profession myself, I appreciate the strong desire among my peers to increase awareness, but I'm not fond of the tendency to deliberately misinform people and incite fear based upon false pretenses. We should strive to offer clarity, not confusion. In this particular case, there are also some strong technical concerns to consider.

In some of the comments I've read in various places, people new to CSRF recommend checking the Referer header as a safeguard. This does not offer sufficient protection against CSRF, because an attacker can forge HTTP headers with Flash.