The security risk in Web 2.0

(continued from previous page)

The key to preventing security issues is developer training and practices, Asleson said. "I think it would be naive for anyone to say that there are no security problems," he said. "There are a lot of things that developers can do that can open all kinds of security holes."

AJAX itself doesn't introduce vulnerabilities, Chess said--it just makes it easier to make old mistakes. The software industry is exiting the desktop applications era, where buffer overflows were the big security problem. Now it's JavaScript in AJAX that is raising concerns. "It's an amazing return to the past," he said.

But Asleson, who aside from authoring two AJAX books is also a developer, disagrees with the notion that Web developers neglect security. "In some ways, there are some parallels between what we saw on the desktop 10 years or so ago. But back then, security really wasn't really on anyone's radar, and today, it very much is," he said.

That sentiment was echoed by Google and AOL, two of the Web's giants. Google is a big AJAX fan, Douglas Merrill, vice president of engineering at Google, said in an interview via e-mail.

"In AJAX development, like all software development, it's important to carefully address security and build products with the user's best interests in mind," Merrill said. One of the benefits of Web-based applications, he noted, is that deploying fixes is typically fast and easy, requiring no action from the user.

Though Google hasn't been completely free of Web site flaws, security is part of the design, development, delivery and operation of its products and services, Merrill said.

"In our experience, processes where security is 'done' only by a security team are not scalable and tend to be ineffective," he said. In contrast, we strive to integrate security into the overall product development process."

Bigger is better?
AOL said it believes large Web companies do a better job at security than small ones that are just starting out. "We have the advantage of more than two decades of experience and a large professional security team to help us keep new and existing products secure," company spokesman Andrew Weinstein said.

There is a rush to try and create the next MySpace, Flickr or Google Maps, Hoffman said, and there aren't many barriers to entry. But simply building the Web site is not the end of the development work, he added. Developers have to be security-conscious, about both bugs and the unanticipated malicious use of built-in features, he said.

In the case of Yahoo Mail, the Yamanner worm that spread last month took advantage of the software's ability to include JavaScript in messages, experts said. When the message was opened, a script ran, instructing the e-mail service to send the contacts in the online address book to a remote server. The worm also had the service mail the malicious message to all the people on that list.

Yahoo said it strives to protect members' information and to help with security across the industry. "We have a dedicated team of experts that ensure security is top-of-mind among our engineers and also help developers create secure services through a variety of methods throughout the engineering process, including developer education, infrastructure, reviews and tools," a company representative said.

At MySpace, last October's Samy worm is considered one of the first to exploit a cross-site scripting flaw. It exploited vulnerabilities in the MySpace site to add a million users to the author's "friends" list. When a MySpace user viewed an infected profile, his profile would in turn be infected and become infectious.

Both attacks were relatively innocent. But experts are cautioning that such flaws could be used in much more serious incidents. "I don't think the attackers, or the defenders, are up on Ajax yet," Chess said.

The burden rests on Web site developers to make sure their users and servers stay safe, experts said. Internet users can protect themselves to some extent using PC security software, such as virus and phishing shields. But such applications are typically most effective after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) or blacklists of known malicious sites.

"The end-user ends up getting screwed, but the Web application really has the vulnerability in it," Hoffman said. "The only people who can fix the problem are the actual people who run the Web applications."

[n3td3v]

There is no new threat in web 2.0.

There is no new threat from Web 2.0.

It is just javascript people exploit in AJAX, its the same javascript that's been around for years before the "AJAX" buzzword appeared.

You can say sites are basing a lot more of their site on javascript technologies which can be exploited by XSS holes, so theres more javascript around for folks to target.

However, there is no new hacking technique, even with the "Samy worm".

[Xiaoth]

You're wrong.

It's not client-side security that makes AJAX risky; it's server-side. AJAX interface pings a web server using XML, such as with SOAP. For every XML-based interface on the server, you have a direct connection point to whatever's on the server. These connection points are essentially publicly-exposed server side functions that can very easily be improperly designed. For example, if an AJAX server connection point / function accepted a numeric identifier to return an object associated with the user, a hacker could easily exploit that and pass in any other number to get other users' objects.

We haven't even gotten started...

[ml_ess]

It takes two.

We hear about this all the time, MySpace (http://www.iwantmyess.com/?p=64) has recently been a target for cross-site scripting flaws as well.
When these codes start attacking websites like Yahoo and MySpace, which attract tens of millions of visitors, they're bound to get out of control. Users should do their part in educating themselves about proper security measures. At the same time, these organizations must invest time and money into making sure their websites aren't plagued with flaws and security holes.

[n3td3v]

There is no new way to secure web 2.0.

There is nothing new for Yahoo to learn in able to secure AJAX applications that they didn't know already.

They are the same vulnerability classes within AJAX applications, that have been around for years before AJAX came along, and with that, the methods in which to secure AJAX from these vulnerabilities are the same.

[gibbitz]

follow the money

I suspect that this article was sponsored by Microsoft. "AJAX is unsafe, Atlas anyone?" The web is already full of scare tactics, why not use one as a viral marketing tool.

The simple fact is that AJAX is just a technique that uses pre-existing technologies. Free technologies. Just because JavaScript is calling for information from the server without a submit button doesn't mean that developers would treat security any differently than they did with a submit button.

As a freelancer, I hear enough of this "are Unix servers really safe? Aren't they open source?" Just because you pay through the nose for windows server doesn't mean it's safe. The same will apply to Atlas. The fact is if there is a security hole in your application, the problem is your developers and not the technology you use to build it.

I think c|net should be a bit more discriminating in the titling of their articles. I get that this article's crux is "developers be cautious" but the title reads "new technologies are unsafe". People who read headlines, but don't read the articles (i.e. my clients) will assume that all new technologies are security risks and will need to be convinced to use what is appropriate for them.

[wbenton]

Security has never been a no-brainer...

The only no-brainer about security are those who place it's importance last or those who don't include it in their products.

Anybody with any brain knows that.

Walt

[PhelixTheKhat]

Secure Web 2.0 Sites Exist...

There are sites out there which do exist to meet the needs of security. Sites like www.flingr.com allow customizing of the profile through a wysiwyg, while maintaining strict security over what gets put up.

This is done using things like XSS filters, escaping characters properly on input, and similar. Also, it limits flash and other ajax objects from being entered (which aren't approved). Check it out.

[ajbright]

Deja Vu

"But in the rush to add features, security has become an afterthought"

Now where have I heard that before? Oh yes, with just a handful of exceptions, almost every piece of networking software - internet or otherwise - ever produced..

Good to see developers still put pushing a product out the door before little things like checking to see what will push their products over the edge.

I award the 'Net 2.0 Development Community with the official "What Retard Thought Active X Was A Good Idea" award of 2006, as well as the usual monthly "Buffer Overflow" Medals of Honour.

[flaccid]

yes indeed

... and notice how all what is being talked about here is Microsoft.

Lets see AJAX originated from Microsoft. The XMLHttpRequest - very cool, but no security framework attached (which is normal for m$, right?).

Anyway, AJAX got big! Now what to do about security?

I guess we wait for w3c.

[darix2005]

free privacy log

more about privacy in the internet you can find here

http://privacy.emigrantas.com

enjoy it

[CMS_Security]

Good post, for its time. Thanks Joris! Security is a concern of ours at www.databasepublish.com as well, but it has come a long way since this post in 2006.