Web 2.0 security flaw a wake-up call

A recently documented major vulnerability in Web 2.0 and Ajax-based software highlights the need for security to be built into applications at the start of development.

Early this month, Fortify Software, a provider of technology for identifying, managing and mediating software security vulnerabilities, announced that it had documented a major vulnerability in Web 2.0 frameworks and Ajax-based software.

Fortify identified the flaw as JavaScript Hijacking, which allows an attacker to use JavaScript to steal critical data by emulating legitimate users.

The security vendor said JavaScript Hijacking appears to be a ubiquitous problem. As part of Fortify's work, the 12 most popular Ajax frameworks were analyzed, including frameworks from Google, Microsoft, Yahoo and the open-source community.

Fortify determined that among them, only version 2.0 of open-source Direct Web Remoting (DWR)--which allows JavaScript in a browser to interact with Java on a server and helps manipulate Web pages with the results--implements mechanisms for preventing JavaScript Hijacking. The rest of the frameworks do not explicitly provide any protection and do not mention any security concerns in their documentations.

And even if an application does not use any Web 2.0 framework, the application may still be vulnerable if it contains Ajax components that use JavaScript as a data transfer format for sensitive data, Fortify added.

From a security perspective, Gartner said, Web 2.0 is reminiscent of Web 1.0.

"In the early- to mid-1990s, the use of HTML and HTTP was the 'next big thing'," the analyst company said in a research note. "Netscape and Sun Microsystems released LiveScript (later renamed JavaScript) in 1995 as a simple way to use client-side code to automate and liven up static HTML pages."

According to Gartner, enterprises rushed to market--and constantly updated--new Web applications based on these new technologies, often bypassing established processes for ensuring application quality and security. Fundamental tenets of application security were ignored or overlooked in the rush to apply these new technologies, leading to years of Web defacements, mass worm attacks, cross-site scripting, phishing and identity theft.

Gartner noted that it "believes that these mistakes are unnecessary, and that enterprises can achieve a balance between achieving the business advantages promised by Web 2.0 and maintaining security".

The report added that "security tools and processes can be extended to build security into Web 2.0--to prevent attacks leading to damaging compromises of customer and other business data--without impacting the usability or time to market of those applications".

A distraction
One security expert warned that the recent Fortify report is a distraction from the real issue.

Paul Ducklin, head of technology at Sophos Asia-Pacific, noted that the report "has become such a talking point that we risk losing sight of the clear and present danger posed right now on the Web, [which is] in the form of real--and unfortunately quite effective--attacks by determined cybercriminals".

He said in an e-mail interview with ZDNet Asia: "A cynic might say that Web 2.0 is nothing new, and would be correct, since the common technologies behind it have existed for some time."

Ducklin added: "What's new is how extensively some technology--notably client-side scripting, which is the AJ (Asynchronous JavaScript) part of Ajax--is used these days, and how popular sites that rely on AJAX have become.

"The rise of JavaScript has had the side-effect of turning your browser from a potentially dangerous download client into what is effectively a new software platform."

Ducklin also noted that the issue is not just "how secure Web 2.0 applications are", but "how attractive browsers and Web sites are as a money-making target for cybercriminals".

Sang Shin, a Java technology architect at Sun Microsystems, noted that security risk increases in Web 2.0 applications, since there are more participants in a collaborative computing environment.

He added: "What this means is that Web 2.0 applications need to do more vigorous input data validation. And this input validation has to be done not only for data coming from end-users but also for data from partners."

Shin said more organizations are considering security issues as architectural and functional design concerns, instead of treating them as after-thought issues. "I believe the Web 2.0 environment in general accelerates this trend because there are more participants in the form of end users and partners, thus increasing the security risks," he said.