Q&A: Web 2.0 Security
by Mirko Zorz - Tuesday, 22 July 2008.
Sam Masiello oversees the MX Logic Threat Operations Center. Masiello has more than 18 years of email systems and IT management experience, including nearly 10 years network and security systems management. In this interview he discusses various aspects of Web 2.0 security.

What are the main challenges involved in designing a secure Web 2.0 application? What advice would you give to developers?

Principles in securing Web 1.0 and Web 2.0 applications are very similar in that you need to be able to think like an attacker. You need to be able to think outside the box of functionality and try to think of ways that someone might try to abuse your software. One of the key differences in Web 2.0 software is that much more of the application code is pushed down to the client-side browser which also means that this code is also readily visible to an end user or an attacker. Developers need to make sure that they are performing extensive client and server side data input validation to ensure that malicious code does not get executed within or injected into their application. Do not allow more characters in an input field than are required and follow an allow list approach where characters that you want to permit as valid input are allowed and all others are denied.

When it comes to vulnerabilities, which ones are typical for Web 2.0?

The types of vulnerabilities that existed in Web 1.0 applications also exist in Web 2.0. Programmers still need to code against threat such as XSS attacks, CSRF attacks, code and SQL injection. The primary difference is that the threat vector is different since Web 2.0 applications rely heavily on AJAX, which uses XML for communication. One example of a Web 2.0 application vulnerability is the Yamanner worm from mid-2006 which exploited a cross-site scripting vulnerability within Yahoo! Mail's AJAX implementation. Another popular example is the MySpace Samy worm from 2005. This vulnerability allowed a user to inject javascript onto his own profile page which functioned as a self-propagating XSS worm that added the Samy author as a "friend' to the profile of everyone who viewed his page. The worm code spread exponentially by loading itself into the profile of anyone who viewed an infected user's page. Along the way, every infected user was added as a friend to the Samy author. The end result was over one million people being added to Samy's friend list within a 24 hour period.

Web 2.0 has certainly brought along some of its own new wrinkles to the party also. Since AJAX calls all happen in the background, under the covers to the end user, users likely have no idea when something malicious is going on with their browser. This gives attackers a very silent method by which to perform man-in-the-middle types of attacks to steal confidential and personally identifiable information.

With rich websites that allow user-created content comes the problem of malicious users embedding malware into their pages on such services. How can Web 2.0 websites protect themselves from abuse?

From a developer's standpoint, knowledge is power. Knowledge and awareness of how attacks are carried out against Web 2.0 sites and following secure coding practices against those attacks are key to preventing them from happening. Never assume that your application is too small or that your system will not be targeted. Just as it only takes minutes for hackers to find a vulnerable, unpatched Windows PC to turn into a spam zombie and enlist it as part of a botnet, it is just as easy and just as certain that they will find and abuse vulnerable web applications too.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th