| COLUMN |
MySpace, YouTube successes open door to Web 2.0 dangers |
 |
 |
|
By Mike Cobb
07 Dec 2006 | SearchSecurity.com
|
|
Web 2.0 is a catch-all term covering second generation Web services and has captured the imagination of the Web developer community.
|
|
|
|
|
Ajax is not that new and it hasn't introduced new vulnerabilities, just variations of old ones. The problem is that Ajax applications tend to be very complex.
Mike Cobb,
managing director, Cobweb Applications
|
|
|
|
|
|
|
|
|
|
Everyone is now rushing to add interactive features to their own Web applications to try to recreate the successes of sites like MySpace and YouTube. A key element of this new class of Web service is Asynchronous JavaScript and XML (Ajax), a set of technologies used together to extend browser functionality.
Ajax applications are mainly executed on the user's machine and can connect to Web servers independently of the user, exchanging data behind the scenes so that the entire Web page does not have to be reloaded. This makes the application feel more responsive, such as Gmail's real-time spell checking. This relatively seamless exchange of data between an application server and a browser allows users to access, share, and edit online content in similar fashion to traditional desktop applications.
But in the rush to add interactive features, security has often been overlooked. Several high profile attacks have exploited weaknesses in sites using Web 2.0 technologies. The Yamanner worm hit Yahoo mail users, exploiting JavaScript and Ajax code to collect email addresses, while the Samy and Spaceflash worms spread among MySpace users changing buddy lists and profile information. Such attacks have heightened concerns that Web 2.0, and Ajax in particular, are introducing new threats to life on the Web.
Ajax is not that new and it hasn't introduced new vulnerabilities, just variations of old ones. The problem is that Ajax applications tend to be very complex. There are many more interactions between the browser and server, and pages can even pull in content from other sites. This makes it difficult to test the many possible permutations of user and service interaction, allowing old vulnerabilities such as cross-site scripting (XSS) flaws to be unwittingly introduced in to the application.
All the big sites such as Microsoft, Google, eBay, and Yahoo have experienced cross-site scripting flaws in the past but where Ajax does change the threat landscape is that it allows an attacker to exploit XSS vulnerabilities in a more covert manner. Malicious code can make multiple requests in the background while the user will be unaware of anything untoward happening. XSS attacks can be used to steal data, take control of a user's session, run malicious code, or launch phishing scams.
Securing Ajax applications is a new challenge for anyone involved in developing or managing Web-based services. As yet there aren't really any comprehensive automated Ajax application security assessment tools. So until developers become more security aware, particularly about the unanticipated malicious use of their application's features, we're not likely to see a reduction in the number of successful attacks against Web 2.0 sites.
However, one of the benefits of Web-based applications is that deploying fixes is typically fast and easy, requiring no action from the user. This does mean that vulnerabilities, once discovered, can be removed quickly without the need for users to download and install patches themselves.
Michael Cobb, CISSP-ISSAP, is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity.com's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
|
|
|
|
