Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

In late 2005, MySpace went offline thanks to the Samy cross-site scripting (XSS) virus. Samy, created by teenage hacker Samy Kamkar, consisted of malicious Ajax code placed in the hackers MySpace profile. Anyone viewing Samys profile would unknowingly execute the code, automatically adding the user to Samys friend list and vice versa, bypassing the need for the users approval. The virus resulted in over one million infections in less than a day, one of the fastest spreading pieces of malware. Whats deadlier is the fact that aspiring criminals can duplicate his attack and apply it elsewhere, and for that they need only examine Samys code, which is posted on the Web.

MySpace, Orkut and Facebook apart, there is a plethora of ever growing social networking sites (with even local counterparts like www.bigadda.com coming up), wikis, and blogs, trying to bestow on the users the never before freedom of what they can post, access and do.

The Webs second-generation promises to tread newer and un-chartered territories. And, the quest to discover the unexplored characteristics of the Web has brought to light a whole new era of collaboration, sharing, interactivity, usergenerated content, and enhanced user control on the world wide web. However, in the rush to add features, security has become an afterthought in Web 2.0. According to Iqbal Gandham, chief business strategist, Nivio, Web 2.0 has allowed two men startups to develop an application overnight and these kind of process will never include security. Web 2.0 apps are about speed to market, and security checks just slow you down. Bhaskar Bakthavatsalu, country manager, India & SAARC, Check Point Software Technologies, says, We definitely are putting security last while adopting Web 2.0 technologies.

Now, as Web 2.0 increasingly straddles across the enterprise domain and grows beyond being a consumer phenomenon, the impact is veneering in more dimensions than initially comprehended. And, security will need to become a forehought and architected within the network as well as the applications.

More Vulnerable
Unlike Web 1.0 malware, Web 2.0 threats like Samy and Yamanner no longer require victims to deviate from security best practices by opening unknown attachments, emailing financial details to strangers, among others. Web 2.0 also offers novel opportunities for traditional viruses to proliferate. For example, the Storm Trojan that infected many users earlier this year spread itself through bulletin board messages, Google links, instant messages (IMs), and the blog comments of infected users. Storm successfully leveraged the multiple vectors offered by Web 2.0 to better proliferate itself.

Web 2.0 is inherently more prone to security breaches and hazards as compared to the first generation of Web. As Tarun Gulati, general manager, developer and platform evangelism at Microsoft India points out, Though security is a horizontal that needs to be thought out irrespective of the kind of application being built, in a Web 2.0 scenario it becomes even more important due to its viral, social nature. According to Mahesh Gupta, manager, Business Development, Cisco India & SAARC, the difference between Web 2.0 and HTML is that Web 2.0 applications are going to be more interactive. These Web applications and portals, based on the new programming techniques, provide a larger scope for attacks as there is greater interactions with the browser that enables JavaScript to run on a client PC, whereas old-fashioned websites accept information only through forms, adds Bakthavatsalu.

The manifestations of Web 2.0 technologies like blogs, wikis and social networks run against the traditional IT security practice. These Web 2.0 applications facilitate collaboration and sharing between users, hence, the popularity of these applications has driven hackers to target users and busineses, says Pranay Jhaveri, sales director, F5 Networks, India. If your website content is dependant on users adding content, and hence, allowing users a closer interaction with your software, then, inherently, you are allowing for more holes. Having said this, security is and always will be a problem in an open system. Since Web 2.0 platforms enable anyone to upload content, these sites are easily susceptible to hackers wishing to upload malicious content. Once the malicious content has been uploaded, visitors to these sites can also be infected, and the site owners could be potentially responsible for damages incurred, says Niraj Kaushik, country manager, SAARC, Trend Micro.

Web 2.0, or the social application of Web 2.0, has convinced us that its okay to upload personal data to various websites. This is where the problem is, says Gandham. He concurs that the security issue is there, but the problem in todays era is the sheer volume of personal user data stored online.

The Aspect
Another aspect to the security risks in Web 2.0 is the fact that the Web 2.0 technologies have security vulnerabilities. From a technical standpoint also, Web 2.0 sites are more prone to attack since they have more interactions with the browser and require running complex Javascript code on user machines. As Munish Gupta, AVP, Business Development, GlobalLogic India, points out, A website based on the new programming techniques has a greater attack surface because it has many more interactions with the browser and may run JavaScript on the client PC. In fact, there is little awareness on the fact that the information placed by users on websites such as MySpace and Bebo could be traceable to them in the future and could be permanently linked to them. According to Vishak Raman of Fortinet, the need for collaboration brings in the use of technologies like AJAX and XML, which in effect bring in the vulnerabilities.

However, Jhaveri provides yet another perspective to it as he maintains that Web services and Ajax applications have not given rise to new classes of security vulnerabilities, but rather new ways to attack applications and a larger attack surface, creating challenges for both developers and testers. What makes matters worse is that a number of these sites are considered trusted by URL filtering and categorization products. Most enterprises do not normally block users from visiting Web 2.0 sites, which could become an IT security risk.

Haunting Ajax Milieu
Understanding the challenges inbuilt in Web 2.0 technologies like Asynchronous JavaScript and XML or simply Ajax, can avoid security pitfalls that may crop up along the way. Ajax comprises a set of Web technologies that are combined to enable Web browsers to refresh content (like stock quotes) in real time without requiring pages to reload or refresh. As these requests for content are hidden from the users view, Ajax provides for a delay-free user experience and enables rich Web services.

In the security context, researchers have discovered that Ajax can query back-end Web services automatically or, in other words, query the hidden Web. This provides an opening for hackers to create invisible attacks using Ajax queries, since the code is never revealed on the site and more specifically be encrypted in transit using SSL. URL filtering solution will most likely be unaware that a given site is malicious, because it does not know which parameter will activate the malicious Ajax script.

Jhaveri says that Ajax-based applications are particularly susceptible to a number of traditional and new Web-based attacks such as man-in-the-middle as well as unauthorized access to the scripts and processes that handle Ajax requests. This is not because it makes this type of attack any easier to perpetrate, but is due to the technologys reliance on JavaScript and its under-the-covers nature. Many toolkits do not provide a mechanism for passing credentials, so data must be somehow embedded in requests or ACLs placed on each script that take advantage of the HTTP basic authentication mechanisms automatically.

Web applications based on new programming techniques provide a larger scope for attacks Mahesh Gupta, manager, Business Development, Cisco	The manifestations of Web 2.0 technologies run against the traditional IT security practice Pranay Jhaveri, sales director, F5 Networks, India	The battleground for security is no longer just the device or infrastructure Vishal Dhupar, MD, Symantec India

Ajax increases the possibility of the so-called cross-site scripting flaws, which occur when the site developer does not properly code pages. An attacker can exploit this vulnerability to hijack user accounts, launch information-stealing phishing scams, or even download malicious code onto users computers, experts say. Web companies such as Microsoft, eBay, Yahoo, and Google have all experienced cross-site scripting flaws on their websites. Ajax applications are also vulnerable to JavaScript highjack, a form of cross-site request forgery (CSRF).

The transfer of Web 2.0 ideas to B2B applications, known as Enterprise 2.0 or Enterprise Web 2.0, is currently taking place with rich Web applications (RWA) and browser-based rich Internet applications, many of which use Ajax. According to Gupta of GlobalLogic, Security is a weak area in Ajax and there needs to be a concerted effort to improve awareness and understanding of the vulnerabilities and how to deal with them, if Enterprise Web 2.0 is to succeed. But, the cross-site scripting issue is only one of the risks. Other potential problems in Ajax code include race conditions, code correctness issues, object model violations, insecure randomness, and poor error handling.

Security Nirvana
Vishal Dhupar, MD, Symantec India terms Security 2.0 as the enhanced version of security needed to protect the Web 2.0 era. The battleground for security is no longer just the device or infrastructure, as it used to be in Security 1.0, rather its shifted to the information and interactions, he adds. Protecting this information and securing these interactions takes more than bolted-on security. It takes integrated products and services that provide a holistic view into an organizations security posture. It also takes solutions that identify risks early, so that steps can be taken to mitigate them and prevent an attack. And, it entails enabling customers to manage their security events, no matter what products they may have already installed.

Web application firewalls have evolved and now include the ability to secure and prevent attacks against Ajax and other XML-based attacks. A Web application firewall or XML firewall prevents existing and emerging attacks from reaching the application server, thus eliminating the majority of Ajax and XML-borne attacks from adversely affecting internal application infrastructure. These solutions are certainly not all inclusive, nor are they meant to replace existing secure development practices, but they can augment the existing security policies by putting in place a first line of defense that will prevent a majority of malicious traffic from reaching the application.

Considering the fundamental difference between Web 2.0 and HTML that the Web 2.0 applications are going to be more interactive with users, there is an increased requirement to have strong architectural approach from planning to design to development and implementation keeping security in mind at each stage. According to Gupta of Cisco, Web 2.0 is not a single software or a device; rather its a growing platform. As mentioned earlier, security can be compromised at multiple levels of the platform, ie, application, database, network and end device. For secure communication and data sharing, an integrated, adaptive, and collaborative security approach is essential.

Shipra Malhotra
shipram@cybermedia.co.in

Page(s)   1