Comments on: The security risk in Web 2.0

Security has become a no-brainer for desktop software, but the same doesn't hold true for the booming world of Web applications.

[n3td3v]

There is no new threat in web 2.0.

There is no new threat from Web 2.0.

It is just javascript people exploit in AJAX, its the same javascript that's been around for years before the "AJAX" buzzword appeared.

You can say sites are basing a lot more of their site on javascript technologies which can be exploited by XSS holes, so theres more javascript around for folks to target.

However, there is no new hacking technique, even with the "Samy worm".

[Xiaoth]

You're wrong.

It's not client-side security that makes AJAX risky; it's server-side. AJAX interface pings a web server using XML, such as with SOAP. For every XML-based interface on the server, you have a direct connection point to whatever's on the server. These connection points are essentially publicly-exposed server side functions that can very easily be improperly designed. For example, if an AJAX server connection point / function accepted a numeric identifier to return an object associated with the user, a hacker could easily exploit that and pass in any other number to get other users' objects.

We haven't even gotten started...

[ml_ess]

It takes two.

We hear about this all the time, MySpace (http://www.iwantmyess.com/?p=64) has recently been a target for cross-site scripting flaws as well.
When these codes start attacking websites like Yahoo and MySpace, which attract tens of millions of visitors, they're bound to get out of control. Users should do their part in educating themselves about proper security measures. At the same time, these organizations must invest time and money into making sure their websites aren't plagued with flaws and security holes.

[n3td3v]

There is no new way to secure web 2.0.

There is nothing new for Yahoo to learn in able to secure AJAX applications that they didn't know already.

They are the same vulnerability classes within AJAX applications, that have been around for years before AJAX came along, and with that, the methods in which to secure AJAX from these vulnerabilities are the same.

[gibbitz]

follow the money

I suspect that this article was sponsored by Microsoft. "AJAX is unsafe, Atlas anyone?" The web is already full of scare tactics, why not use one as a viral marketing tool.

The simple fact is that AJAX is just a technique that uses pre-existing technologies. Free technologies. Just because JavaScript is calling for information from the server without a submit button doesn't mean that developers would treat security any differently than they did with a submit button.

As a freelancer, I hear enough of this "are Unix servers really safe? Aren't they open source?" Just because you pay through the nose for windows server doesn't mean it's safe. The same will apply to Atlas. The fact is if there is a security hole in your application, the problem is your developers and not the technology you use to build it.

I think c|net should be a bit more discriminating in the titling of their articles. I get that this article's crux is "developers be cautious" but the title reads "new technologies are unsafe". People who read headlines, but don't read the articles (i.e. my clients) will assume that all new technologies are security risks and will need to be convinced to use what is appropriate for them.

[wbenton]

Security has never been a no-brainer...

The only no-brainer about security are those who place it's importance last or those who don't include it in their products.

Anybody with any brain knows that.

Walt

[PhelixTheKhat]

Secure Web 2.0 Sites Exist...

There are sites out there which do exist to meet the needs of security. Sites like www.flingr.com allow customizing of the profile through a wysiwyg, while maintaining strict security over what gets put up.

This is done using things like XSS filters, escaping characters properly on input, and similar. Also, it limits flash and other ajax objects from being entered (which aren't approved). Check it out.

[ajbright]

Deja Vu

"But in the rush to add features, security has become an afterthought"

Now where have I heard that before? Oh yes, with just a handful of exceptions, almost every piece of networking software - internet or otherwise - ever produced..

Good to see developers still put pushing a product out the door before little things like checking to see what will push their products over the edge.

I award the 'Net 2.0 Development Community with the official "What Retard Thought Active X Was A Good Idea" award of 2006, as well as the usual monthly "Buffer Overflow" Medals of Honour.

[flaccid]

yes indeed

... and notice how all what is being talked about here is Microsoft.

Lets see AJAX originated from Microsoft. The XMLHttpRequest - very cool, but no security framework attached (which is normal for m$, right?).

Anyway, AJAX got big! Now what to do about security?

I guess we wait for w3c.

[darix2005]

free privacy log

more about privacy in the internet you can find here

http://privacy.emigrantas.com

enjoy it

[CMS_Security]

Good post, for its time. Thanks Joris! Security is a concern of ours at www.databasepublish.com as well, but it has come a long way since this post in 2006.