Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 10 Web 2.0 Attack Vectors

Posted by ryuzaki0 on from the danger-2.0 dept.

Fred writes, "HNS is running a story about Web 2.0 and the new attack vectors it opens up. Worms of the Yamanner, Samy, and Spaceflash types are exploiting client-side AJAX frameworks, providing new avenues of attack and compromising confidential information. On the server side, XML-based Web services are providing distributed application access through Web services interfaces and opening up new vulnerabilities in the process." The article is spread over 6 short pages and there is no printer-friendly URL.

3 of 64 comments (clear)

  1. No substance by suv4x4 · · Score: 4, Interesting

    Most of those "attack vectors" boil down to injections and non-validated data, AKA "don't trust the user input". I don't know how they managed to multiply one single flaw into so many "vectors".

    And there's also this "attacking scripts in RSS": what was this supposed to mean? My RSS readers don't execute script in RSS. No examples, no links.

    One more talked about hijacking confidential information from a bank cookie. No example how this is done, just the author assumes we know how to automatically sniff the cookie, and that the bank doesn't use server-side sessions like 99% of them out there, but stores it all in a plain cookie.

    Basically the article is not as fun or informative as the title suggests.

    1. Re:No substance by possible · · Score: 2, Interesting

      I think the article does have some problems of clarity, but don't be so quick to dismiss the security issues. Using Cross-site request forgery (XSRF) against a vulnerable application, I can use a page with a hidden form (submitted automatically with JavaScript) to launch a silent cross-domain POST to your online bank (changing your password). Even if your online bank uses server-side sessions, the browser is nice enough to automatically send its cookies with my POST request. Chances are your bank is not protected from XSRF, as very few web applications are today.

    2. Re:No substance by daviddennis · · Score: 3, Interesting
      Guess what?

      Samy's worm did exactly that.

      Relevent extract from his fascinating account, well worth reading in its entirety:

      9) Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.

      I must say I was quite impressed, not to mention frightened half to death, by what Samy went through to create his worm. It was not a simple task at all. I had thought before that nobody would waste their time doing something like this; I was, of course, wrong.

      The consequence of his story is that I changed my own social networking site to become a lot more secure. I didn't like doing it because I would have preferred to let people do what they want, but that artilce was a real eye opener as to how dangerous that would have been.

      D