Problem solve Get help with specific problems with your technologies, process and projects.

Web 2.0 widgets: Enterprise protection for Web add-ons

Web 2.0 widgets represent a threat vector that should not be overlooked at any enterprise organization. In this tip, Nick Lewis explains what a Web 2.0 widget is, and how companies can protect against them.

Widgets, or mini Web applications, are popular tools or Web add-ons for users to express themselves on different...

Web 2.0 applications, such as Facebook or Twitter, or for organizations to access content from other websites. But there are some serious security implications that enterprises may need to defend against as Web 2.0 applications and Web add-ons become entrenched in the way business is done.

In this tip, we'll explain how assessing the security of the widgets in Web 2.0 applications before incorporating them into their Web 2.0 environments can protect businesses Web visitors, internal users and, ultimately, their corporate reputations. Though there are legitimate business uses of Web 2.0 widgets, particularly for incorporating content from third-party sites like Facebook, Twitter, Google and others, these widgets can all too easily distribute malware and malicious code, or potentially advance other attacks.

Web 2.0 widgets explained

Widgets are independent applications or snippets of code from third-party sites that can be used independently or included in other websites and Web applications. They often display content, like news items or press releases, for example, but they can perform other actions too, like display a Twitter feed or include a recent blog post from another page or site. Twitter widgets let users display individual tweets on websites that can serve as real-time updates for site visitors. Similarly, Facebook widgets allow content from Facebook to be served when visiting a third-party website.

Widgets can be developed with a variety of development languages. Ajax-based widgets use the Google Ajax APIs for displaying Google Maps or other Google content. Many widgets use embedded snippets of JavaScript to allow organizations to display new products or news on the Web. A Twitter profile widget, for example, displays recent tweets on a website. The JavaScript snippet is simply embedded in the place where the user wants the tweets displayed. The JavaScript is executed in a visitor's browser and the tweets are visible on the webpage. Basically, the website instructs Web browsers to execute code from multiple different Web servers simultaneously to create the webpage.

Security threats from Web 2.0 widgets

Malware authors started taking advantage of widgets as an attack vector several years ago, as noted in a 2008 advisory from Fortinet Inc.'s FortiGuard Center, which highlighted the Zango malware that was distributed by a malicious Facebook widget. Such threats aren't exactly new, but similar ones are plentiful in the wild today, and like Web 2.0 applications themselves, they are constantly evolving.

Web 2.0 widgets not only pose a security risk to enterprises, but also to individual website visitors. Risk scenarios to the enterprise vary depending on specific widgets used, but typically an individual employee would fall prey by accessing malicious widget content on the Web that affects his or her computer by planting malware that seeks to infect the network or steal sensitive data stored on the user's computer.

[Web 2.0 widgets are] becoming an increasing concern as more companies seek to appear trendy by integrating them from social networking platforms into their own websites.

Similarly, an enterprise faces risk with the Web 2.0 widgets it may incorporate into its own Web 2.0 applications for customer or public use. This is becoming an increasing concern as more companies seek to appear trendy by integrating Web 2.0 widgets from social networking platforms into their own websites and mobile applications. If those third-party Web 2.0 widgets are malicious or compromised, a company's Web visitors may execute malicious JavaScript or mobile code from multiple different websites, even though it looks like it is coming from a legitimate source (your organization's website). Suddenly a company can find itself in a liability scenario, unknowingly spreading attackers' malware to its Web visitors and customers.

Web 2.0 widgets: Enterprise defense strategy

Despite these threats, there are ways to securely allow widgets to be used in the enterprise, both by users for their own consumption and when building mashups for external use. To protect an organization's Web visitors from malicious Web 2.0 widgets, there should first be a security awareness program in place for enterprise Web developers when including third-party widgets into websites they develop. Developers should be made aware of the potential risks from such widgets and taught to evaluate the security of the widgets before publishing them, a step easily forgotten given how simple it is to publish a new widget to a site.

From there, each individual widget's functionality should be validated in a test environment to ensure basic malicious content cannot be distributed. Developers can evaluate the security of a widget by accessing the JavaScript code and carefully reviewing its functionality. To test for malicious content coming through a widget, like a Twitter stream, set up a Twitter account on a test website to see what is displayed by the widget when a variety of potentially malicious content is posted. An automated process can also check an organization's website for malicious content delivered via widget. One such process might include a script running on a computer where multiple antimalware products are running. The script would download all of the content referenced from the widget to determine if any of the antimalware products generate an alert from the content. You could test this by publishing a link to the EICAR test file virus sample, and see if your automated process detects the sample virus. This may not be possible in every widget, especially if the widget is a pre-compiled binary, but validating the output should still be possible.

To protect internal users from putting company networks and data at risk, use the standard antimalware protections. A combination of network and endpoint defenses will protect users from most malicious content encountered via a widget. Various network appliances -- often the same devices your organization may use to block basic malware, Web proxies, etc. -- include protections for social networking. Some devices offer this in the base functionality, but others require additional licenses or modules to monitor for these types of threats.

Awareness of the potential threats and ensuring that adequate antimalware protections are in place are critical to protect against Web 2.0 widget threats. Malicious or hacked Web 2.0 widgets can easily distribute code from third parties that can harm your infrastructure, steal your sensitive data or abuse the trust consumers Web visitors have in your organization. Going forward, it's critical that your enterprise not only realize that these mashups can be dangerous, but also implement the proper protections and practices to prevent them from causing harm.

About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.

Next Steps

What controls should be used to block social networking sites? Read more.

Learn about acceptable usage policies for managing access to social networking sites.

This was last published in June 2010

Dig Deeper on Web application and API security best practices