Web 2.0 is an industry buzz word that gets thrown around quite often. The term is often used for new web technology or comparison between products/services that extend from the initial web era to the existing one. For the purposes of this book, Web 2.0
addresses the new web technologies that are used to bring more interactivity to web applications, such as Google Maps and Live.com. Technologies such as Asynchronous JavaScript XML (AJAX), Cascading Style Sheets (CSS), Flash, XML, advanced usage of existing JavaScript, .Net, and ActiveX all fit under the Web 2.0 technology umbrella.
While some of these technologies, such as ActiveX and Flash, have been around for awhile, organizations are just starting to use these technologies as core features of interactive web sites, rather than just visual effects.
Additionally, Web 2.0 also includes a behavioral shift on the web, where users are encouraged to customize their own content on web applications rather than view static/
generic content supplied by an organization. For example, YouTube.com, MySpace.com, and blogging are a few examples of the Web 2.0 era, where these web applications are based on user supplied content. In the security world, any mention of a new technology often means that security is left out, forgotten, or simply marginalized. Unfortunately, this is also true about many Web 2.0 technologies. To complicate the issue further, the notion of “don’t ever trust user input” becomes increasingly difficult when an entire web application is based on user supplied input, ranging from HTML to Flash objects.
In addition to the technology and behavior changes, Web 2.0 can also mean the shift from shrink-wrapped software to software as a service. During the early web era, downloading software from the web and running it on your server or desktop was the norm, ranging from Customer Relationship Management (CRM) applications to chat software. Downloading and managing software soon became a nightmare to organizations, as endless amount of servers, releases, and patches across hundreds of in-house applications drove IT costs through the roof.
Organizations such as Google and Salesforce.com began offering traditional software as a service, meaning that nothing is installed or maintained by an individual or IT department.
The individual or company would subscribe to the service, access it via a web browser, and use their CRM or chat application online. All server management, system updates, and patches are managed by the software company itself. Vendors solely need to make the software available to their users via an online interface, such as a web browser. This trend changed the client-server model; where the web browser is now the client and the server is a rich web application hosted on a backend in the data center. This model grew to be enormously popular, as the reduction of IT headache, software maintenance, and general software issues were no longer an in-house issue, but managed by the software vendor.
As more and more traditional software companies saw the benefits, many of them followed the trend and began offering their traditional client-server applications online also, noted by the Oracle/Siebel online CRM solution. Similar to advertisement and music, software as a service was also around in Web 1.0, but it was called an Application Service Provider (ASP). ASPs failed miserably in Web 1.0, but similar to advertisements and music in Web 2.0, they are very healthy and strong. Hence, if a security flaw exists in a hosted software service, how does that affect a company’s information? Can a competitor exploit that flaw and gain the information for its advantage? Now that all types of data from different organizations are located in one place (the vendor’s web application and backend systems), does a security issue in the application mean game over for all customers?
Another aspect of Web 2.0 are mash-up and plug-in pages. For example, many web applications allow users to choose content from a variety of sources. An RSS feed may
come from one source and weather plug-in may come from another. While content is being uploaded from a variety of sources, the content is hosted on yet another source, such as a personalized Google home page or a customized CRM application with feeds from different parts of the organization. These mash-up and plug-in pages give users significant control over what they see. With this new RSS and plug-in environment, the security model of the application gets more complex. Back in Web 1.0, a page such as CNN.com would be ultimately responsible for the content and security of the site.
However, now with many RSS and plug-in feeds, how do Google and Microsoft protect their users from malicious RSS feeds or hostile plug-ins? These questions make the process of securing Web 2.0 pages with hundreds of sources a challenging task, both for the software vendors as well as the end users.
Similar to many buzz words on the web, Web 2.0 is constantly being overloaded and can mean different things to different topics. For the purposes of the book, we focus on the application frameworks, protocols, and development environments that Web 2.0 brings to the Internet.
Web 2.0’s Impact on Security
The security impact on Web 2.0 technologies includes all the issues on Web 1.0 as well an expansion of the same issues on new Web 2.0 frameworks. Thus, Web 2.0 simply adds to the long list of security issues that may exist on web applications. Cross-site scripting (XSS) is a very prevalent attack with Web 1.0 applications. In Web 2.0, there can actually be more opportunities for XSS attacks due to rich attack surfaces present with AJAX. For example, with Web 2.0 AJAX applications, inserting XSS attacks in JavaScript streams, XML, or JSON is also possible. An example of downstream JavaScript array is shown here:
var downstreamArray = new Array();
downstreamArray[0] = "document.cookie";
Notice that the <script> tag is not used, but simply the document.cookie value (highlighted in bold) since the code is already in a JavaScript array.
In addition to XSS, injection attacks on Web 2.0 still target SQL and Lightweight Directory Access Protocol (LDAP), but now include XPATH/XQUERY, XML, JSON, and JavaScript arrays. Cross-site request forgery (CSRF) attacks are still present in Web 2.0, but they can now be worse with bidirectional CSRF (JavaScript hijacking). Further, the inconsistent security limits set on XMLHttpRequest (XHR) can leave Web 2.0 applica-tions that are vulnerable to CSRF exposed to worm type behavior, automatic prorogation of a security flaw, rather that a simple one-click attack that would appear on a Web 1.0 application. For example, since many Web 2.0 applications contain integrated interaction between users, when an application flaw such as XSS appears in the application, the propagation of the flaw from one user to the other is even more possible. The prorogat-ing functionality was shown clearly with the Samy worm on MySpace.com, which is discussed in Chapter 5 and the first case study.
Another security impact in addition to worm propagation is the idea of cross-domain attacks. Cross-domain attacks allow attackers to publish malicious content to web users without users’ knowledge or permission. While XHR specifically prevents cross-domain
interaction, much to the developer’s dismay, there is some flexibility in certain Web 2.0 technologies. For example, Flash has XHR restrictions, but it has a method to support cross-domain functionality. The following code shows an example of the flexibility from crossdomain.xml:
<cross-domain-policy>
<allow-access-from domain="www.cybervillans.com" />
</cross-domain-policy>
In addition to the domain name, a wildcard can be used such as domain="*".
(Many web developers are bypassing XHR security controls to add cross-domain functionality to their web applications.) Cross-domain functionality becomes very scary when CSRF attacks are apparent. As noted, CSRF can force a user to perform actions without his or her knowledge or permission. With the ability of cross-domain support, CSRF attacks can allow an attacker or phisher to force actions across domains with a single click. Hence, clicking a story from a user’s blog might actually reduce your bank account by $10,000.
Another risk with Web 2.0 is the ability to discover and enumerate attack surfaces in a far easier fashion than with a Web 1.0 application. For example, Web 2.0 applications often use AJAX frameworks. These frameworks contain lots of information about how the applications work. The framework information is often downloaded to a user’s browser via a .js file. This information makes it easy for an attacker to enumerate possible attack surfaces. On the flip side, while discovery may be easy, manipulating calls to the application may not be likewise. Unlike Web 1.0, where hidden form fields often contained information used in GET and POST parameters, some Web 2.0 frameworks often require a proxy to capture content, enumerate fields for possible injection, and then submit to the server. Though not as straightforward as Web 1.0, the attack surfaces are often larger.
Software as a service solution, while not a technology but rather a trend in the Web 2.0 space, has had a significant impact on security. Unlike in-house applications that run in an organization’s own data center, hosted software solution affect security significantly.
An XSS flaw in an in-house CRM application simply allows a malicious employee to see another employee’s information; however, the same flaw in a hosted CRM application can allow one organization to see the sales leads of another company. Of course, the issues are not limited to CRM applications, but sensitive data, confidential information, and regulated data, such as health information and nonpublic personal information. Hosted solutions hold data of all types from all types of customers, hence their security of their applications far outweigh an in-house application accessible only to employees.
Overall, Web 2.0’s impact on security is large. Borders between data created by the organization and data supplied by the web user are disappearing, hosted solutions are storing content from hundreds of organizations accessible through the same web interface, and developers are deploying new technologies without understanding the security implications of them. These issues have all impacted security in the online environment.