Web 2.0 Security
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Web 2.0 Security as PDF for free.
More details
- Words: 1,014
- Pages: 15
University of Zagreb Central European Conference on Information and Intelligent Systems 2009
1
Introduction
2
WEB 2.0
3
Vulnerabilities of web 2.0 services
4
Methods of protection,detection and reaction
There is no definition of Web 2.0. Appeared in 2004, as a logical continuation of web (1.0), and it was promoted by the O'Reilly Media Group and Media Live International
to
It introduced interactivity of users with services & exchange and active communication of the web content Unlike standard PC platforms, this platform is the Internet (Intranet) itself Users run application on internet (or intranet) using Internet browser. There are many examples of its use: from business applications e-government entertainment e-education (e-learning) e-tourism and e-industry
!" RIA - Rich Internet Application web based applications that were created and designed to have all the functionality of desktop application the process of executing is divided into user part on client side and malipulation with data on the side of app.server This application runs inside browser and do not require any additional software instaled. Only restriction can be plug-ins integrated in browser.
AJAX – Asynchronous JavaScript and XML it´ s technology, not programming language ajax uses web app.to receive data from server “asynchronous” or “intermittenet” in background. example – “google maps”.... between HTML and servers AJAX uses a JavaScript. js calls the server, acquires data,changes and manipulates data, without need users to “refresh”, “reload” – F5.
#$
%
Almost all prominent universities and institutions of higher education in the world have greatly developed their e-platforms. Behind these platforms there are usually hidden Web 2.0 services such as: "moodle", "weblog", "wikipedia”,“forums, "chats“, or even "youtube" and "podcasting" services. Some of the key features and technologies include AJAX, RSS, mashups, site maps, etc. There are several main problems in development of Web 2.0 applications: The most important thing is "never believe a client and what he or she submits in the application”.Reason is simple, after input developer have no control over data, that came back from client browser, and dont know what happend with code. JS can be easely changed by the hacker and hacker can take data from server. The second problem is "mashups".It is the model that "mixes" and combines data and services from several different sites and displays them on the user's browser as a new service. Some (all) influential portal owners (including google) allow ther API (application programming interface) to be used throught gateway on other web sites.... That is how “mashup” function. There is a security problem with “unwanted” and “unknown” data flow
&
# '
(
Most frequent attack during 2006,2007,2008
SQL injection
XSS (Cross site scripting)
XSRF/CSRF (cross site request forgery)
&
# '
% *! ! "! ! ++
! 73% of all reported and discovered vulnerability belongs to web tecnology !!!
"#$ %"" &"'()
!
)*+
,
www.some-target-site.com
some' OR 1=1 -some' OR 1=1 --
SQL Injection is a great potentioal danger. This king of attack uses a SQL sequences from SQL. A Simple SQL statement can give a data from database to an attacker. There is simple reason for that. Application is made in a way that it does not validate input prior processing. SQL I can performed from address bar, search form or login form...
www.some-target-site.com/index.asp?id=some’ OR 1=1--
SELECT * FROM users WHERE username= some ‘ OR 1=1--AND password=some’ OR 1=1--
SQL
)) -
http://www.some-real-site.com
.
/
XSS is like SQL i associated with the unwanted data flow. Attacker insert a malicious code into the existing, dinamicly generated web pages. When a uneducated user click on the page, malware is executed on the computer. www.hackers-site.com Hacker can take control over computer/system
http://www.some-target-site.com/search.php?text= <script> document.location("http://hackrs-site.com/phishing_login.php")
JS or VB Script
)!01 )!02-
'
# /
Re
CSRF Host
Open connection
Login
http://www.webmailserver.com
www.hackers-site.com
CSRF- “Cross site request forgery” is a type of attack where an attacker uses “vulnerability of the web sites that belive its users or client”. CSRF uses “betray the trust that a website has in its users”. UnliKe XSS, CSRF does not required (but can be) malicious script to be injected into trusted page, user need just visit a malicious web site.
JS or VB Script
& $
)
$
It is the term that describes a malicious code that damages computers in every possible way. The number of attacks on systems and malware is increasingly growing and today every 15 seconds a new malicious web site is discovered in the world. Five new "scareware" web sites are identified every day. U.S.A. it is one of the top countries that “host malware” (37%). It is followed by China with Hong Kong (27.7%) and Russia (9.1%).
&
S IS
#.
= Security of Information system
S IS = S PE ∪ S PH ∪ S LO S PE
- Personnel Security
S PH
- Physical Security
Considering the fact that 73% of reported and discovered recent "intrusions“ into the systems have been made by failures that happen in web technology and web applications, this article emphasizes S (Personnel Security). PE
S LO
- Logical Security
&
#.
The article tried to give specific instructions to developers, administrators,final users and managers in order to increase the number of steps that a malicious user has to pass to reach our information system The author also pointed out the things that we need to pay attention to and gave some recommendations that could be used and installed into the individual model of development and success of a "safer" IS Companies should definitely do the "update" of their documents called "Security Policy" and "Principles of IS Security". It is also recommended to do the detailed audit of all information systems - "penetration testing“... The most important thing in the whole process is implementation of IS security measures and policies. Only one exception or failure can be fatal to the whole system.
,-
-. -
1
Introduction
2
WEB 2.0
3
Vulnerabilities of web 2.0 services
4
Methods of protection,detection and reaction
There is no definition of Web 2.0. Appeared in 2004, as a logical continuation of web (1.0), and it was promoted by the O'Reilly Media Group and Media Live International
to
It introduced interactivity of users with services & exchange and active communication of the web content Unlike standard PC platforms, this platform is the Internet (Intranet) itself Users run application on internet (or intranet) using Internet browser. There are many examples of its use: from business applications e-government entertainment e-education (e-learning) e-tourism and e-industry
!" RIA - Rich Internet Application web based applications that were created and designed to have all the functionality of desktop application the process of executing is divided into user part on client side and malipulation with data on the side of app.server This application runs inside browser and do not require any additional software instaled. Only restriction can be plug-ins integrated in browser.
AJAX – Asynchronous JavaScript and XML it´ s technology, not programming language ajax uses web app.to receive data from server “asynchronous” or “intermittenet” in background. example – “google maps”.... between HTML and servers AJAX uses a JavaScript. js calls the server, acquires data,changes and manipulates data, without need users to “refresh”, “reload” – F5.
#$
%
Almost all prominent universities and institutions of higher education in the world have greatly developed their e-platforms. Behind these platforms there are usually hidden Web 2.0 services such as: "moodle", "weblog", "wikipedia”,“forums, "chats“, or even "youtube" and "podcasting" services. Some of the key features and technologies include AJAX, RSS, mashups, site maps, etc. There are several main problems in development of Web 2.0 applications: The most important thing is "never believe a client and what he or she submits in the application”.Reason is simple, after input developer have no control over data, that came back from client browser, and dont know what happend with code. JS can be easely changed by the hacker and hacker can take data from server. The second problem is "mashups".It is the model that "mixes" and combines data and services from several different sites and displays them on the user's browser as a new service. Some (all) influential portal owners (including google) allow ther API (application programming interface) to be used throught gateway on other web sites.... That is how “mashup” function. There is a security problem with “unwanted” and “unknown” data flow
&
# '
(
Most frequent attack during 2006,2007,2008
SQL injection
XSS (Cross site scripting)
XSRF/CSRF (cross site request forgery)
&
# '
% *! ! "! ! ++
! 73% of all reported and discovered vulnerability belongs to web tecnology !!!
"#$ %"" &"'()
!
)*+
,
www.some-target-site.com
some' OR 1=1 -some' OR 1=1 --
SQL Injection is a great potentioal danger. This king of attack uses a SQL sequences from SQL. A Simple SQL statement can give a data from database to an attacker. There is simple reason for that. Application is made in a way that it does not validate input prior processing. SQL I can performed from address bar, search form or login form...
www.some-target-site.com/index.asp?id=some’ OR 1=1--
SELECT * FROM users WHERE username= some ‘ OR 1=1--AND password=some’ OR 1=1--
SQL
)) -
http://www.some-real-site.com
.
/
XSS is like SQL i associated with the unwanted data flow. Attacker insert a malicious code into the existing, dinamicly generated web pages. When a uneducated user click on the page, malware is executed on the computer. www.hackers-site.com Hacker can take control over computer/system
http://www.some-target-site.com/search.php?text= <script> document.location("http://hackrs-site.com/phishing_login.php")
JS or VB Script
)!01 )!02-
'
# /
Re
CSRF Host
Open connection
Login
http://www.webmailserver.com
www.hackers-site.com
CSRF- “Cross site request forgery” is a type of attack where an attacker uses “vulnerability of the web sites that belive its users or client”. CSRF uses “betray the trust that a website has in its users”. UnliKe XSS, CSRF does not required (but can be) malicious script to be injected into trusted page, user need just visit a malicious web site.
JS or VB Script
& $
)
$
It is the term that describes a malicious code that damages computers in every possible way. The number of attacks on systems and malware is increasingly growing and today every 15 seconds a new malicious web site is discovered in the world. Five new "scareware" web sites are identified every day. U.S.A. it is one of the top countries that “host malware” (37%). It is followed by China with Hong Kong (27.7%) and Russia (9.1%).
&
S IS
#.
= Security of Information system
S IS = S PE ∪ S PH ∪ S LO S PE
- Personnel Security
S PH
- Physical Security
Considering the fact that 73% of reported and discovered recent "intrusions“ into the systems have been made by failures that happen in web technology and web applications, this article emphasizes S (Personnel Security). PE
S LO
- Logical Security
&
#.
The article tried to give specific instructions to developers, administrators,final users and managers in order to increase the number of steps that a malicious user has to pass to reach our information system The author also pointed out the things that we need to pay attention to and gave some recommendations that could be used and installed into the individual model of development and success of a "safer" IS Companies should definitely do the "update" of their documents called "Security Policy" and "Principles of IS Security". It is also recommended to do the detailed audit of all information systems - "penetration testing“... The most important thing in the whole process is implementation of IS security measures and policies. Only one exception or failure can be fatal to the whole system.
,-
-. -
Related Documents
Web Security
May 2020 25
Web Security
November 2019 33
Web 20
December 2019 47
Web 20
November 2019 50
Web 20
April 2020 34