According to Fortify Software, 11 out of 12 of the most popular Ajax/JS frameworks are vulnerable to javascript hijacking. So apparently every shiney web 2.0 app out there is ripe for the picking!

“Fortify said that the “pervasive and critical vulnerability” is present in 11 of the 12 most popular AJAX frameworks, and therefore in many Web 2.0 applications. It allows an attacker to pose as the application’s user and intercept data sent via JavaScript commands, by using the script tag to circumvent the ’same origin policy’ imposed by web browsers.”

“JavaScript Hijacking appears to be a ubiquitous problem,” said Fortify. It claimed that only Direct Web Remoting (DWR) 2.0, a project which dynamically generates Java classes on the server from JavaScript, is immune to the attack, but said that fixes are available or feasible for other AJAX frameworks.

I’ve never heard of Direct Web Remoting before, but hey, maybe there is something to be learned here. The article doesn’t talk specifically about Prototype or Scriptaculous but I’m sure they among the bunch.

Here is the Yahoo! story: Web 2.0 apps vulnerable to attack