In the past few days news sites and a few blogs have picked up a document written by Fortify Software regarding “JavaScript Hijacking”. We’ve also had a few customers and our community ask for Zimbra’s view on the topic. First and foremost we take security very seriously. We’ve talked about securing ajax in the past but would like to reinforce a couple points in light of the most recent news.
For a little background on cross site requests Wikipedia has some good info. Our friend Alex Russell of the Dojo Toolkit posted a note on the topic. Joe Walker has also posted a couple entries on the topic. Each of which cover ways to prevent this sort of attack and why their particular frameworks aren’t vulnerable. Bob takes a slightly more aggressive stance calling the Fortify paper FUD.
Bottom line Zimbra is not vulnerable to the attacks mentioned in the paper. Specifically we use POST for all of our data communication from our AJAX client to our server. In the POST request we include a Zimbra created auth token that is in both the cookie and the POST body (as part of the SOAP header). The server verifies that both are included and the same to ensure that the sender of the request is the actual user’s browser. Secondly the responses from our server are JSON data objects. Using JSON objects rather than arrays prevents the type of attack mentioned in the paper. Bob’s post goes into the details of why and includes an example to prove it. We are glad people are noticing and paying attention to security topics as new webapps take further advantage of the browser. To further discuss this topic please visit the Zimbra Forums.
Comments are closed.