Matasano: Vulneraility Reporting in a Web 2.0 World. Same old security problems, just no one to report it to or fix 'em.
Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.They reply:
Thanks for the tip, David. It’s been noted.
BTW, most of the talks at OWASP Milan last week were on Web 2.0 attacks.
I think the term Vulnerability Mashup describes the current Web 2.0 security situation pretty well. You can take your javascript attack and use it across domains, requests, and technologies. It turns out attackers can leverage the Web 2.0 ethos "web as a platform" as easily as a portlet developer. So as Web 2.0 programs struggle to achieve a secuirty 1.0 posture, they will have an interesting time dealing with attacker 3.0. In other words, Google Maps looks great, but you really don't want to run your business on this stuff.
Web 1.0 | Web 2.0 | |
Attack server | ----> | Attack client & server |
Attack sites | ----> | Attack sites & users |
Web 1.0 security model | ----> | Web 1.0 security model |
OWASP Top 10 | ----> | CVE 400 |
Oh man you forgot - "Protecting Web Applications from Universal PDF^H^HCI X^HDSS: A discussion of how retarded the web application security world has become"
Posted by: dre | May 25, 2007 at 10:49 AM