Understanding Top Web 2.0 Security Attacks

One of the most eye-opening sessions of the conference so far has been this one on Web 2.0 security. The speaker, Danny Allan from Watchfire, an IBM company, was a fantastic speaker and one of the most engaging of the week. There are a lot of security risks in just about all rich internet applications on the web today, mostly due to the way the world wide web was built – there are all kinds of ways hackers can attack a web site to gain access to secure information. Why would they want to gain access to this information? Mostly, almost always, for financial gain.

He listed out 3 types of core attacks that may be used:

1. Browser attacks: such as plugin flaws.
2. Server side attacks: this is the more traditional attack such as SQL injection attacks.
3. Client side attacks: Using XSS (cross-site scripting), CSRF, etc hackers can gain control over a users computer. There are 108 ways to exploit XSS attacks.

The main technologies that are attacked are:

1. Browsers
2. Ajax
3. Web Services

It’s also worth noting that mashups are especially difficult to protect. There is the possibility that an attack in one widget could pull sensitive data from other widgets. Also it’s difficult to know when that happens because the DOM doesn’t recognize these sorts of attacks.

Other types of attacks mentioned are JS hijacking, prototype hijacking (hackers are able to basically replace your javascript function with their own), cache poisoning, DNS attacks, DNS Reminding attacks.

He then proceded to show us this demo of a XSS proxy which allowed him to gain control of a users’ bank information (not a real bank site) by pasting some malicious javascript code in the site search box and submitting it. Using the XSS proxy, he basically had a hacker admin panel that allowed him to view all kinds of data he ’stole’ from the user, including every link they clicked, every page viewed, all passwords and data typed in text fields, and basically anything sent through the browser you can think of. Since this was staged and just a demo, there are of course a lot of things that needed to be in place for this to work correctly but the point is, it’s possible. One of the things I thought was really interesting is that he actually leveraged CSS code (href tag styles) in his algorithm to gain access to this fake person’s data. Yikes!

IDE + Framework Roundup 1

A few of the sessions that I’ve decided not to go into detail about were basically sales pitches (I’m using the term loosely – Most of these are open source and free to use) for a development IDE or framework… here’s a few of note:

• Aptana Studio & “Jaxer” Ajax Server – This IDE has support for HTML, CSS, Javascript, PHP, and Ruby On Rails. It’s interesting because it supports most of the popular javascript libraries (prototype, dojo, etc) and offers some pretty slick code completion. It also seems like a pretty swell IDE for the iPhone SDK (The speaker built a small web app for the iPhone in a matter of minutes). The Ajax server allows for server-side javascript.
• jMaki -A mashup framework, in beta, created by Sun Microsystems. This seems to have a lot of potential. Basically they created wrappers for several popular js toolkits which allows developers to use PHP, JSP, or whatever to embed the javascript code. It abstracts the event model of whatever particular js library you use into your language of choice. It is supported (with the help of plugins) in Netbeans, Eclipse, and ANT-based tools.
• Webtop – Also created by Sun, Webtop is based on jMaki and is essentially an open source, extensible iGoogle clone.
• ICEfaces – Java EE Framework for building asynchronous, real-time social web applications.

The Performance Paradigm of a Mashup World – Tech Session, Day 1

Peter Kirwan of WebMetrics was the presenter of this session. There was a lot of propaganda to sort through (his company offers monitoring services for web applications, among other things), but he talked a lot about one of the few recurring themes in the conference – The lack of security and performance standards in the mashup world. With sites such as iGoogle, PageFlakes, or any other mashups (ad services are also mashups) , your site performance relies on the performance of the applications that you mash together… in other words, if you use a widget from some third party that runs slowly it can bring down your site as well. The same concern holds for security risks when using third party widgets. Often you don’t know what’s going on behind the scenes (third parties may be using other third parties, and so on), and that can open up your application to a lot of potential security threats.

buzzword alert!

Mashup – Not a new term, but I’ve heard it a lot just in the first day. “Mashups of mashups of mashups” was also mentioned. Means “aggregate application”. Refer to pageflakes.com…

2 more sessions in day 1 to come…

ASP.NET Ajax Design Patterns : Tech Session, Day 1

One good thing I learned from this – Microsoft has a free version of Visual Studio called Visual Web Developer 2008 that even their own developers use on a regular basis… obviously they’re not making it a high priority to promote it.

This was a basic demo of how to create an ajax driven page using the AJAX.NET controls (partial page update panels). The speaker mentioned several different popular methods of retrieving data using ajax.net – such as paging/caching records and using what he called “predictive fetching” which is basically just saying we should program applications in a way that stores relevant data (cached using javascript) to be shown later based on the actions the user takes in the beginning of their session. He also mentioned pageflakes.com, since it was built using ajax.net.