News Stay informed about the latest enterprise technology news and product updates.

Application security takes on greater importance in Web 2.0

Web 2.0 applications have the same vulnerabilities as regular applications. Security evangelist Michael Sutton explains how to use application security methods in a dynamic Web environment.

LAS VEGAS -- Ignoring application security is no longer an option. Web sites are now Web applications, Michael Sutton told his audience at last week's Better Software conference. In his session, "Is Web 2.0 a Hacker's Dream?" the security evangelist from SPI Dynamics Inc. (to be acquired by HP) explained that application security is absolutely critical for Web 2.0 technologies.

Web 2.0 is a meaningless marketing term, but the threats are real
Despite the session title, Sutton rejects the term Web 2.0 as an ambiguous "catchall phrase for any new technology." Many of these supposed Web 2.0 technologies have long histories, he pointed out. As he stressed many times, the same vulnerabilities that afflict Web 1.0 applications also afflict Web feeds, Web services and Ajax applications.

However, these dynamic applications are harder to secure because they create more attack vectors. Sutton broke down the security situation of Web 2.0 into a simple equation:

Same vulnerabilities + additional input vectors = more complexity
That's the breakdown, here are the details.

Web feeds
Sutton identified three attack situations that could affect Web feeds:

  1. Malicious operator: "The owner of a Web site could start injecting JavaScript into his news feed," Sutton explained. This could result, for example, in a stolen session I.D. However, the perpetrator is easily identified and that makes this attack unlikely.

  2. Compromised host: This attack is "certainly more likely," Sutton said. You're dealing with a legitimate site where a "trusted host has already taken care of generating traffic for the attacker." The challenge for the attacker is injecting code into the Web feed.

  3. Open content: "This is very likely," Sutton said. Sites such as MySpace that allow customers to be developers put themselves at risk. This user-provided content is then available through a Web feed. Some sites employ blacklisting to control content, using signatures and regular expressions. But this system can be broken, as was the case in the infamous Samy worm.

Web 2.0 testing, security resources
Ten ways to improve testing, performance of Web 2.0 applications

Top Web application security threats for 2007

Denim Group donates Ajax security scanner to OWASP

"Web feeds can be used to do the same types of attacks [as Web sites] if we don't validate input," Sutton said. Risks in the remote zone include familiar vulnerabilities such as cross-site request forgery (CSRF), cross-site scripting (XSS) and distributed denial of service (DDOS).

The local zone is, generally speaking, safer, but it is still vulnerable. "Some readers convert a feed into an HTML file, store it locally and then render it in a Web browser," explained Sutton. "The client is treating it as a local zone, so different security standards apply." Access to XMLHttpRequest (XHR) and ActiveX objects may be compromised.

On the server side, those responsible should "restrict user input and user tags." However, blacklisting can be circumvented, Sutton warned. Whitelisting is better than blacklisting, he said, because its rules determine what can be accepted and are therefore much stricter. For further protection, one may start with a whitelist and layer a blacklist on top.

"There's not much you can do" for the client side, Sutton said. Try to secure the Web feed readers being used against feed injection, he recommended.

Web services
"Web services involve machine-to-machine communication," Sutton said. "That simple thing makes people forget about security." But they are vulnerable to all of the same exploits as Web applications. The difference is that in order to fight session hijacking and similar attacks in Web services, you need tools that are uniquely suited to Web services.

Ajax security training
Learn more about Ajax security at The Ajax Experience conference July 25-27 in San Francisco.

* Listen to Douglas Crockford, creator of JavaScript Object Notation, talk about security issues that must be considered in the architecture of Ajax applications.

* Joe Walker, creator of DWR, and Jeremiah Grossman, co-founder of the Web Application Security Consortium, explain the challenges specific to Web 2.0, the effects of XSS and CSRF attacks, and tools to protect sites and users.

Companies often tack on Web services without thinking about security, Sutton said. "They forget about validation routines," he said. Simply remembering to implement security measures would offer a fair amount of protection for Web services.

Ajax (Asynchronous JavaScript and XML) security
There are several challenges to Ajax security. Some of the Ajax application's business logic may be stored on the client side, where it is quite vulnerable. Ajax "increases the surface area," Sutton told his audience, exposing attack vectors. In order to find these attack vectors, security tools must understand the XHR object.

For Ajax security testing, Sutton recommended dynamic analysis and static analysis.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.