Sam Masiello oversees the MX Logic Threat Operations Center. Masiello has more than 18 years of email systems and IT management experience, including nearly 10 years network and security systems management. In this interview he discusses various aspects of Web 2.0 security.

What are the main challenges involved in designing a secure Web 2.0 application? What advice would you give to developers?

Principles in securing Web 1.0 and Web 2.0 applications are very similar in that you need to be able to think like an attacker. You need to be able to think outside the box of functionality and try to think of ways that someone might try to abuse your software. One of the key differences in Web 2.0 software is that much more of the application code is pushed down to the client-side browser which also means that this code is also readily visible to an end user or an attacker. Developers need to make sure that they are performing extensive client and server side data input validation to ensure that malicious code does not get executed within or injected into their application. Do not allow more characters in an input field than are required and follow an allow list approach where characters that you want to permit as valid input are allowed and all others are denied.


When it comes to vulnerabilities, which ones are typical for Web 2.0?

The types of vulnerabilities that existed in Web 1.0 applications also exist in Web 2.0. Programmers still need to code against threat such as XSS attacks, CSRF attacks, code and SQL injection. The primary difference is that the threat vector is different since Web 2.0 applications rely heavily on AJAX, which uses XML for communication. One example of a Web 2.0 application vulnerability is the Yamanner worm from mid-2006 which exploited a cross-site scripting vulnerability within Yahoo! Mail's AJAX implementation. Another popular example is the MySpace Samy worm from 2005. This vulnerability allowed a user to inject javascript onto his own profile page which functioned as a self-propagating XSS worm that added the Samy author as a "friend' to the profile of everyone who viewed his page. The worm code spread exponentially by loading itself into the profile of anyone who viewed an infected user's page. Along the way, every infected user was added as a friend to the Samy author. The end result was over one million people being added to Samy's friend list within a 24 hour period.

Web 2.0 has certainly brought along some of its own new wrinkles to the party also. Since AJAX calls all happen in the background, under the covers to the end user, users likely have no idea when something malicious is going on with their browser. This gives attackers a very silent method by which to perform man-in-the-middle types of attacks to steal confidential and personally identifiable information.