Q&A: Web 2.0 Security

Sam Masiello oversees the MX Logic Threat Operations Center. Masiello has more than 18 years of email systems and IT management experience, including nearly 10 years network and security systems management. In this interview he discusses various aspects of Web 2.0 security.

What are the main challenges involved in designing a secure Web 2.0 application? What advice would you give to developers?
Principles in securing Web 1.0 and Web 2.0 applications are very similar in that you need to be able to think like an attacker. You need to be able to think outside the box of functionality and try to think of ways that someone might try to abuse your software. One of the key differences in Web 2.0 software is that much more of the application code is pushed down to the client-side browser which also means that this code is also readily visible to an end user or an attacker. Developers need to make sure that they are performing extensive client and server side data input validation to ensure that malicious code does not get executed within or injected into their application. Do not allow more characters in an input field than are required and follow an allow list approach where characters that you want to permit as valid input are allowed and all others are denied.

When it comes to vulnerabilities, which ones are typical for Web 2.0?
The types of vulnerabilities that existed in Web 1.0 applications also exist in Web 2.0. Programmers still need to code against threat such as XSS attacks, CSRF attacks, code and SQL injection. The primary difference is that the threat vector is different since Web 2.0 applications rely heavily on AJAX, which uses XML for communication. One example of a Web 2.0 application vulnerability is the Yamanner worm from mid-2006 which exploited a cross-site scripting vulnerability within Yahoo! Mail’s AJAX implementation. Another popular example is the MySpace Samy worm from 2005. This vulnerability allowed a user to inject javascript onto his own profile page which functioned as a self-propagating XSS worm that added the Samy author as a “friend’ to the profile of everyone who viewed his page. The worm code spread exponentially by loading itself into the profile of anyone who viewed an infected user’s page. Along the way, every infected user was added as a friend to the Samy author. The end result was over one million people being added to Samy’s friend list within a 24 hour period.

Web 2.0 has certainly brought along some of its own new wrinkles to the party also. Since AJAX calls all happen in the background, under the covers to the end user, users likely have no idea when something malicious is going on with their browser. This gives attackers a very silent method by which to perform man-in-the-middle types of attacks to steal confidential and personally identifiable information.

With rich websites that allow user-created content comes the problem of malicious users embedding malware into their pages on such services. How can Web 2.0 websites protect themselves from abuse?
From a developer’s standpoint, knowledge is power. Knowledge and awareness of how attacks are carried out against Web 2.0 sites and following secure coding practices against those attacks are key to preventing them from happening. Never assume that your application is too small or that your system will not be targeted. Just as it only takes minutes for hackers to find a vulnerable, unpatched Windows PC to turn into a spam zombie and enlist it as part of a botnet, it is just as easy and just as certain that they will find and abuse vulnerable web applications too.

In your opinion, what kind of evolution can we expect when it comes to new attack vectors?
Unfortunately, malware has a bright future. The maturation of “Web 2.0” applications and services – with more software functionality pushed onto client systems and browsers – adds new vulnerabilities. Client systems are less protected than servers, making the larger footprint of Web 2.0 applications an inviting target. In addition, the tremendous profit potential of cyber crime has raised skill levels and created an entire criminal service industry devoted to stealing information or making money from stolen machines. Malware developers now write exploits rivaling commercial software in sophistication and quality, and their exploits are far more difficult to detect and clean.

Malware threats are fueling rapid growth in the worldwide market for defenses, with estimates ranging as high as 99% of networked systems used in business having some form of anti-malware defense installed. The annual growth rate for anti-virus software and services is forecasted to grow at 10.9% yearly from 2006-2013, climbing from $4.7 billion to $9.7 billion in annual global sales (Frost & Sullivan 2007, Worldwide Anti-Malware Products Market).