JavaScript Hijacking

In the past few days news sites and a few blogs have picked up a document written by Fortify Software regarding “JavaScript Hijacking”. We’ve also had a few customers and our community ask for Zimbra’s view on the topic. First and foremost we take security very seriously. We’ve talked about securing ajax in the past but would like to reinforce a couple points in light of the most recent news.

For a little background on cross site requests Wikipedia has some good info. Our friend Alex Russell of the Dojo Toolkit posted a note on the topic. Joe Walker has also posted a couple entries on the topic. Each of which cover ways to prevent this sort of attack and why their particular frameworks aren’t vulnerable. Bob takes a slightly more aggressive stance calling the Fortify paper FUD.

Bottom line Zimbra is not vulnerable to the attacks mentioned in the paper. Specifically we use POST for all of our data communication from our AJAX client to our server. In the POST request we include a Zimbra created auth token that is in both the cookie and the POST body (as part of the SOAP header). The server verifies that both are included and the same to ensure that the sender of the request is the actual user’s browser. Secondly the responses from our server are JSON data objects. Using JSON objects rather than arrays prevents the type of attack mentioned in the paper. Bob’s post goes into the details of why and includes an example to prove it. We are glad people are noticing and paying attention to security topics as new webapps take further advantage of the browser. To further discuss this topic please visit the Zimbra Forums.

Comments are closed.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures