What are the main challenges involved in designing a secure Web 2.0 application? What advice would you give to developers?
Principles in securing Web 1.0 and Web 2.0 applications are very similar in that you need to be able to think like an attacker. You need to be able to think outside the box of functionality and try to think of ways that someone might try to abuse your software. One of the key differences in Web 2.0 software is that much more of the application code is pushed down to the client-side browser which also means that this code is also readily visible to an end user or an attacker. Developers need to make sure that they are performing extensive client and server side data input validation to ensure that malicious code does not get executed within or injected into their application. Do not allow more characters in an input field than are required and follow an allow list approach where characters that you want to permit as valid input are allowed and all others are denied.
When it comes to vulnerabilities, which ones are typical for Web 2.0?
Web 2.0 has certainly brought along some of its own new wrinkles to the party also. Since AJAX calls all happen in the background, under the covers to the end user, users likely have no idea when something malicious is going on with their browser. This gives attackers a very silent method by which to perform man-in-the-middle types of attacks to steal confidential and personally identifiable information.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.