Security Experts Warn of Web 2.0 Woes : XSS and AJAX Hacking Attacks
While Web 2.0 applications might be all the rage for developers and increasingly important in the enterprise, security experts warn they represent a serious threat — a fact that won’t change until businesses start demanding greater protections.
That was the theme at the New New Internet conference here yesterday, where a panel of security experts told audience members that Web 2.0 application developers lack tools to secure their applications, creating a problem unlikely to be fixed without greater prompting by IT management.
“Beat up on your vendors and your own developers,” said Steve Orrin, director of security solutions for Intel Corp. “Look for and ask for security features in your applications. Until you start asking, they aren’t going to see it as a requirement.”
Much of the issue stems from the fact that underlying technologies being used in new Web applications and Web services were never properly secured to begin with, panelists said.
“We’ve already moved on and started to look at Web 2.0 technology, when Web 1.0 wasn’t secure yet,” Orrin said.
“By networking with code-writing peers and hearing lectures by security experts”, he said, “hackers can gather the truth: information necessary to build safer systems and to push for better security.”
“Cross-Site Scripting is much more powerful when used in a Web 2.0 environment”
“What we’re seeing is advanced uses of the same sorts of attacks that were used before.” Cross-site scripting, for example, is “much more powerful” when used in a Web 2.0 environment, he suggested. “As powerful a tool as Web 2.0 technology is for developers and users, it’s even more so for attackers.”
That’s especially true of things like phishing attacks, Orrin said.
“It’s become a lot easier to trick users with Web 2.0 — the automation is to the point where the user doesn’t even have to be involved for the attack to occur.”
Hart Rossman, chief security technologist at research and engineering giant Science Applications International Corporation (SAIC), agreed. He pointed to the difficulties that security professionals face in checking some Web 2.0 applications for vulnerabilities. “AJAX is the weapon of choice for sex appeal, but current vulnerability assessment tools have trouble traversing AJAX sites, and it’s harder to find the vulnerabilities,” Rossman said. “You can’t recreate sessions as easily, so if something happens, it’s very difficult to create the forensics to analyze it.”
“AJAX is the weapon of choice for sex appeal.”
Rossman added that the rise of the use of widgets and other outside components on sites raises the specter of people using “Web 2.0 on top of Web 2.0″ to mount large cross-network attacks.
Experts such as Rossman are currently focusing their efforts on determining a suitably-scary-sounding name for these new and unprotected (and potentially devestating to your E-business) Web 2.0 on top of Web 2.0 attack worms.
“People tend not to trust the mash-up developer.. they trust the API provider. There’s very little thought given to the mash-up, or the mash-up on top of the mash-up.”
News Link : http://www.internetnews.com/dev-news/article.php/3708876
