Home > Information Security Magazine > Features > Web 2.0 application development techniques introduce new information security risks
EMAIL THIS
Information Security Magazine

  CURRENT ISSUE  
  FEATURES  
  COLUMNS  
  HOT PICK & PRODUCT REVIEWS  
  ARCHIVES  
  SUBSCRIBE/RENEW  
  

Web 2.0 application development techniques introduce new information security risks
by Justin Gehtland
Issue: Nov 2007
printer-friendly
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   NEXT PAGE  >

In order to identify new threats, it's important that development and security teams understand threats to regular old Web 1.0 applications like cross-site scripting (XSS) and SQL injection attacks (see "Web App Attacks," below). Then organizations can look at what changes upon adding the ability to use JavaScript code in the browser to send and receive asynchronous messages (often containing structured data). It becomes clear that nothing has fundamentally changed; there aren't any new kinds of attacks, just new ways to perpetrate them.

[IMAGE] [IMAGE] [IMAGE] Web App Attacks
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
[IMAGE] Before making sense of Ajax threats, security teams need to understand traditional Web application attacks.

SQL Injection Attacks
A user passes to a server input that is inserted into a SQL query as a raw string, thus allowing the user to directly affect the database.

Cross-Site Scripting (XSS)
A user passes input containing JavaScript, which is rendered as o...



utput in another user's browser, and then executed.

Session Hijacking
Relying on sequential, non-random or otherwise guessable tokens for establishing important session characteristics, such that a user can experiment with the query string to easily access another user's data (e.g., sending URLs like http://widgets.com?order_num=4 and http://widgets.com?order_num=5), and/or having non-expiring session tokens that can be copied and used by an impersonator.

Buffer Overruns
A user sends malformed text to server code, which either stores it or manipulates it in such a way that the data overruns the memory allocated to hold the value, thus causing unintended execution of non-application code.

Data Leakage
A Web page is constructed of HTML mixed with the raw results of a SQL query, and a user, by virtue of one of the above attacks or sheer accident, causes alternative data to be rendered into the page, thus exposing either private data or useful structural information about the application, which could lead to further attacks.
[IMAGE]
[IMAGE]
< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   7  |   8  |   9  |   10  |   NEXT PAGE  >





TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts