Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 10 Web 2.0 Attack Vectors

Posted by ryuzaki0 on from the danger-2.0 dept.

Fred writes, "HNS is running a story about Web 2.0 and the new attack vectors it opens up. Worms of the Yamanner, Samy, and Spaceflash types are exploiting client-side AJAX frameworks, providing new avenues of attack and compromising confidential information. On the server side, XML-based Web services are providing distributed application access through Web services interfaces and opening up new vulnerabilities in the process." The article is spread over 6 short pages and there is no printer-friendly URL.

4 of 64 comments (clear)

  1. pretty soon, you will need big blue by zappepcs · · Score: 3, Insightful

    to build you a sand box to take care of all the new features but still protect your pc from all the evils of the world wide web.

    Seriously, shouldn't 2.0 come equipped with some things that make it safer, not just more flashy?

    --
    Support NYCountryLawyer RIAA vs People
    1. Re:pretty soon, you will need big blue by ElleyKitten · · Score: 5, Insightful
      Seriously, shouldn't 2.0 come equipped with some things that make it safer, not just more flashy?
      Uh, "Web 2.0" isn't a product. It's a buzzword for flashy things, so it makes sense that it doesn't "come with" more security.
      --
      "What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
    2. Re:pretty soon, you will need big blue by k12linux · · Score: 4, Insightful

      Most of these come back to developers violating one of the key rules of web application development (from the web 1.0 stuff as well.) DON'T IMPLICITLY TRUST DATA YOU GET FROM THE CLIENT!

      You see it over and over again: Fantacy football sites that let you select players that aren't available by POSTing their id. A site that lets you delete your account but accepts the user ID you send in a POST without validating it (so replacing the ID with '%' deletes ALL accounts.)

      These things should only be rookie mistakes. Yeah, validating data takes time to code. But if you don't do it you are just asking to be hacked.

  2. Re:No substance by WWWWolf · · Score: 4, Insightful
    And there's also this "attacking scripts in RSS": what was this supposed to mean? My RSS readers don't execute script in RSS. No examples, no links.

    Not everyone's using an RSS reader from four years ago. =) Many RSS readers allow rendering of HTML. Heck, I'm using Bloglines, which is a web-based RSS reader; guess whether or not it supports HTML? However, it's up to the client to scrub the content properly and remove <script> crap.

    Another question is, exactly how can you expect to launch an attack in a web feed? People use bazillion different RSS/Atom readers, and in many cases they're entirely separate from their web browsers...

    Though, I hope people read the Atom spec if they're implementing it, scrubbing HTML content is specifically addressed in the "Security Considerations": "Atom Processors should pay particular attention to the security of the IMG, SCRIPT, EMBED, OBJECT, FRAME, FRAMESET, IFRAME, META, and LINK elements, but other elements might also have negative security properties."