Saturday, November 29, 2008

Technics: Web 2.0's downside opens way for spyware and other vulnerabilities via the Internet

Jason King is CEO of LavaSoft, a pioneer company that produces adware and software, labouring to chase down spyware, producing anti-virus services. Sheeraj Shah of Net-Square wrote a famous article "10 Web 2.0 Attack Vectors," putting forth something of an overall vector analysis on Help Net Security website, Oct9,2k6. You can visit them both at this Help Net Security website page.

First, let's have entrepreneur King speak to us for 2:50 minutes on video from YouTube:

LavaSoft and the antispyware industry

Sheeraj Shah explains how Web 2.0 advances have also opened vulnerabilities that hadn't existed before its arrival, not least of all the new vulnerability to spyware:

Web 2.0 is the novel term coined for new generation Web applications. start.com, Google maps, Writely and MySpace.com are a few examples. The shifting technological landscape is the driving force behind these Web 2.0 applications. On the one hand are Web services that are empowering server-side core technology components and on the other hand are AJAX and Rich Internet Application (RIA) clients that are enhancing client-end interfaces in the browser itself.

XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.
Now, let's garner the points web-thinker Shah presents as headers, the result being a bit abstract for those, like me, who are still novices in these territories:

Web 2.0 security concerns are reshaping the whole industry of security-measures for websites, internet, and home computers.
Technotes, by Technowlb
Shah introduces his vector-theory of new web2.0 vulnerablities:
On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.

On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications.

On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.
So, here's his analytic list of 10 attack vectors, Shah providing us with a thick explanatory paragraph for each:

1. Cross-scripting in AJAX.
2. XML poisoning.
3. Malicious AJAX code execution.
4. RSS/Atom injection.
5. WSDL scanning and enumeration.
6. Client-side validation in AJAX routines.
7. Web-services routing issues.
8. Parameter manipulation with SOAP.
9. XPATH injection in SOAP message.
10. Rich Internet Applications (RIA) thick client binary manipulation.

Shah concludes:
AJAX, RIA and Web services are three important technological vectors for the WEB 2.0 application space. These technologies are promising and bring new equations to the table, empowering overall effectiveness and efficiency of Web applications. With these new technologies come new security issues, and ignoring them can lead to big disasters for the corporate world. [And what about us "end-user" consumers with our home computers?] In this article, the discussion was restricted to only ten attacks but there are several other attack vectors as well. Increased WEB 2.0 security awareness, secure coding practices and secure deployments offer the best defense against these new attack vectors.

No comments: