Web 2.0 may be the most ill
defined technology term to date. Everyone uses the term but I have yet to hear
a decent definition of it. O'Reilly Media is credited with coining the phrase
and
Tim
O'Reilly defines Web 2.0 as:
"Web
2.0 is the business revolution in the computer industry caused by the move to
the internet as platform, and an attempt to understand the rules for success on
that new platform. Chief among those rules is this: Build applications that
harness network effects to get better the more people use them."
If someone can decipher that please contact
me because I have no idea what it means.
Wikipedia on the other hand has this to say about Web 2.0:
"a perceived or proposed second generation of
Web-based services-such as social networking sites, wikis, communication tools,
and folksonomies-that emphasize online collaboration and sharing among users"
That's a bit better; at least I
can picture the sites that they're referring to. The truth is that Web 2.0
doesn't have a definition; it is simply referring to the emergence of more user
friendly, responsive web applications that take advantage of new technologies
to create a better user experience. In a nutshell, web applications are
beginning to feel like desktop applications, with the advantage of being interconnected
globally.
There are a number of
technologies being leveraged to create these next generation applications
including AJAX,
RSS, JSON, SOAP, Atom, etc. These technologies are in turn being used to create
fancy web sites such as Google Maps, flickr, del.icio.us,
Google Docs and Spreadsheets, etc.
What does this mean from a
security perspective? First off, Web 2.0 has not created any new
vulnerabilities, it has only changed the way that we build web applications.
All of the aforementioned technologies are layered on top of HTTP and are
subject to the same vulnerabilities that affect traditional web applications.
What has changed is where we need to look for the vulnerabilities. Virtually
all web application vulnerabilities exist when input is accepted and processed
without being properly sanitized. Identifying input is now less straight
forward. Input does not have to come from a web form, it does not need to be
generated by a user action and it does not even need to come from a user. Take
for example the case of Asynchronous JavaScript and XML (AJAX). AJAX instructs the
browser to make requests and receive responses behind the scenes. It creates a
more rich application as screen content can change without the need for a full
page refresh. Each of those requests occurring in the background represents
input. Take for example this
AJAX request being sent to BlinkList, a link sharing site. The request
triggers the following verbose SQL error message!
select usertag.name
from usertag where usertag.userid =
order by usertag.name<br>You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near 'order by usertag.name' at line 1
How did I find it? No, I didn't
attack BlinkList, I spotted it when I had the XMLHttpRequest monitor enabled in
FireBug, a popular
FireFox extension. This is a request that the BlinkList developers built into
the application. They have actually built a SQL injection attack into their
website which is triggered any time a user visits the BlinkList homepage.
How about a mashup which pulls
various RSS feeds together to create a dynamic news site? Is that site
accepting input even if it's a read-only page? Absolutely. The feeds from third
party sites should be treated as untrusted inputs and be subject to the same
scrutiny as a web form accepting user input. Bob Auger warned us about this in
a whitepaper on injection
attacks in RSS and Atom feeds last year.
The point is that when testing
so called Web 2.0 applications we need to redefine what we consider to be
untrusted input. You cannot appropriately audit a web application without first
identifying all potential input vectors. Whether using commercial or freeware
tools or manually auditing a page, ensure that your approach is capable of
identifying and interpreting the input vectors contained in the application
being audited. Whether that input comes from an AJAX XMLHttpRequest, a third
party RSS feed of a SOAP based web service, it all represents a potential
attack vector and must therefore be tested with the same level of scrutiny as
would a user controlled web form.
Let the revolution begin.
- michael
Posted
02-15-2007 1:02 AM
by
erik.peterson