Attacking Web 2.0 at LinuxWorld

At LinuxWorld today, SPI Dynamic's senior security engineer, Matt Fisher, talked about the vulnerabilities of Web 2.0. His talk, although not much different from that of his colleagues Billy Hoffman and Brian Sullivan last week at Black Hat, offered some new examples of what criminals are doing online, armed with little more than a desktop browser. Cross-site scripting attacks are the No. 1 threat, according to the Mitre organization, in part because they are so easy to do.

In particular, Fisher singled out social-networking sites. Because the site depends on user content, the site allows users to upload HTML code, and in most cases, any HTML code. Knowing this, Fisher said someone could put a malicious script code into a blog post where it would sit until someone came along and read it. What bad could possibly happen from that, you might wonder? Fisher said that when someone in a corporate environment opens it, the attacker can then execute code inside the corporate perimeter on the internal network.

If that attack is too passive, Fisher suggested another scenario. In this scenario an attacker embeds malicious JavaScript into a customer help ticket. The help ticket is archived inside the corporate network. Every time a customer-support technician opens the help ticket, the code infects his or her desktop, and potentially, the corporate network.

Unlike operating system vulnerabilities, which can be addressed with a patch, cross-site scripting attacks aren't generic; they're specific to the Web application. The key to mitigating these attacks is to limit what end users can and cannot do on the site. That sounds simple, but newer Web 2.0 sites often don't check for common, even old-school methods of attack.