July 28, 2006 4:00 AM PDT

The security risk in Web 2.0

Web 2.0 is causing a splash as it stretches the boundaries of what Web sites can do. But in the rush to add features, security has become an afterthought, experts say.

The buzz around the new technology echoes the '90s Internet boom--complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the early days of desktop software, they say, the development momentum is all about features--and protections are being neglected.

"We're continuing to make the same mistakes by putting security last," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "People are buying into this hype and throwing together ideas for Web applications, but they are not thinking about security, and they are not realizing how badly they are exposing their users."

Yamanner, Samy and Spaceflash are among the higher-profile attacks that have surfaced online. The Yamanner worm targeted Yahoo Mail, harvesting e-mail addresses and forwarding itself to all contacts in a user's Yahoo address book. The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site.

Web 2.0 lacks a precise definition; it's used mainly as a catch-all term to cover Web sites that are more than just plain, static pages. Web 2.0 sites are more interactive, allowing people to tag photos posted online, for example. Unlike their predecessors, they deliver an experience more akin to using a desktop application.

One of the key enablers of the flashier Web sites is a programming technique known as AJAX, which stands for "Asynchronous JavaScript and XML." Google Maps, launched last year, was one of the first Web applications to showcase the benefits of AJAX development techniques to a broad audience, when it let people use a mouse to move a map image around the screen.

But AJAX doesn't just help make Web pages and sites more interactive. It could also provide ways for hackers to hit a Web server and to exploit sites in attacks on visitors, experts said.

"Think of it like a house," said Hoffman, who will give a presentation on AJAX security at next week's Black Hat security event in Las Vegas. "A traditional Web site is like a house with no windows and just a front door. An AJAX Web site is like a house with a ton of windows and a sliding door. You can put the biggest locks on your front and back doors, but I can still get in through a window."

A Web site based on the new programming techniques has a greater "attack surface" because it has many more interactions with the browser and may run JavaScript on the client PC, he noted. JavaScript is a scripting programming language popular on Web sites. In contrast, old-fashioned Web sites typically accept information through forms.

Cross-site scripting
AJAX also increases the possibility of so-called cross-site scripting flaws, which occur when the site developer doesn't properly code pages, experts said. An attacker can exploit this type of vulnerability to hijack user accounts, launch information-stealing phishing scams or even download malicious code onto users' computers, experts have said. Big-name Web companies such as Microsoft, eBay, Yahoo and Google have all experienced cross-site scripting flaws on their Web sites.

"I think it would be na?ve for anyone to say that there are no security problems."
--Ryan Asleson, co-author, "Foundations of Ajax"

But cross-site scripting issues are only one risk. Other potential problems in AJAX code include race conditions, code correctness issues, object model violations, insecure randomness and poor error handling, said Brian Chess, chief scientist at Fortify Software, a maker of source-code analysis tools.

Such errors could expose people's data, let one user control another user's session, allow malicious code to run, or enable other attacks, Fortify said. The company's researchers found examples of all of these errors in sample AJAX code in a December analysis of "Foundations of Ajax," a how-to-book aimed at software developers.

"Since the code samples (in the book) are likely to be regarded as a best-practices guide, many software developers worldwide will learn insecure coding habits," Chess said.

Ryan Asleson, one of the authors of "Foundations of Ajax," said he had not heard of the alleged flaws in the sample code. However, he said, if those problems do exist, it is possible, because the code was kept as simple for a large audience. "We never intended the code that's in there to actually be production-ready code," he noted.

CONTINUED: New development, old mistakes…
Page 1 | 2

See more CNET content tagged:
AJAX, Web 2.0, XSS, Web application, expert


Join the conversation!
Add your comment
It takes two.
We hear about this all the time, MySpace (<a class="jive-link-external" href="http://www.iwantmyess.com/?p=64" target="_newWindow">http://www.iwantmyess.com/?p=64</a>) has recently been a target for cross-site scripting flaws as well.
When these codes start attacking websites like Yahoo and MySpace, which attract tens of millions of visitors, they're bound to get out of control. Users should do their part in educating themselves about proper security measures. At the same time, these organizations must invest time and money into making sure their websites aren't plagued with flaws and security holes.
Posted by ml_ess (71 comments )
Reply Link Flag
follow the money
I suspect that this article was sponsored by Microsoft. "AJAX is unsafe, Atlas anyone?" The web is already full of scare tactics, why not use one as a viral marketing tool.

The simple fact is that AJAX is just a technique that uses pre-existing technologies. Free technologies. Just because JavaScript is calling for information from the server without a submit button doesn't mean that developers would treat security any differently than they did with a submit button.

As a freelancer, I hear enough of this "are Unix servers really safe? Aren't they open source?" Just because you pay through the nose for windows server doesn't mean it's safe. The same will apply to Atlas. The fact is if there is a security hole in your application, the problem is your developers and not the technology you use to build it.

I think c|net should be a bit more discriminating in the titling of their articles. I get that this article's crux is "developers be cautious" but the title reads "new technologies are unsafe". People who read headlines, but don't read the articles (i.e. my clients) will assume that all new technologies are security risks and will need to be convinced to use what is appropriate for them.
Posted by gibbitz (1 comment )
Reply Link Flag
Security has never been a no-brainer...
The only no-brainer about security are those who place it's importance last or those who don't include it in their products.

Anybody with any brain knows that.

Posted by wbenton (522 comments )
Reply Link Flag
Secure Web 2.0 Sites Exist...
There are sites out there which do exist to meet the needs of security. Sites like www.flingr.com allow customizing of the profile through a wysiwyg, while maintaining strict security over what gets put up.

This is done using things like XSS filters, escaping characters properly on input, and similar. Also, it limits flash and other ajax objects from being entered (which aren't approved). Check it out.
Posted by PhelixTheKhat (3 comments )
Reply Link Flag
Deja Vu
"But in the rush to add features, security has become an afterthought"

Now where have I heard that before? Oh yes, with just a handful of exceptions, almost every piece of networking software - internet or otherwise - ever produced..

Good to see developers still put pushing a product out the door before little things like checking to see what will push their products over the edge.

I award the 'Net 2.0 Development Community with the official "What Retard Thought Active X Was A Good Idea" award of 2006, as well as the usual monthly "Buffer Overflow" Medals of Honour.
Posted by ajbright (447 comments )
Reply Link Flag
yes indeed
... and notice how all what is being talked about here is Microsoft.

Lets see AJAX originated from Microsoft. The XMLHttpRequest - very cool, but no security framework attached (which is normal for m$, right?).

Anyway, AJAX got big! Now what to do about security?

I guess we wait for w3c.
Posted by flaccid (6 comments )
Link Flag
free privacy log
more about privacy in the internet you can find here

<a class="jive-link-external" href="http://privacy.emigrantas.com" target="_newWindow">http://privacy.emigrantas.com</a>

enjoy it
Posted by darix2005 (31 comments )
Reply Link Flag
Good post, for its time. Thanks Joris! Security is a concern of ours at www.databasepublish.com as well, but it has come a long way since this post in 2006.
Posted by CMS_Security (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.