Web 2.0 and Security
Web 2.0 is proving to be an important step towards extending the capabilities of the HTML interfaces through technologies such as AJAX that use Javascript and asynchronous calls to the server. It has a number of benefits such as reducing the load on the web server through limiting the amount of traffic to perform a simple query or manipulation of the users session state. It also allows the clients interface to be more intuitive and offer potentials such as drill down menus, input suggestion and smarter client side validation. Javascript is used with the DOM to modify sections of the HTML to update the interface based on a request or a response.
It differs from the typical process that we have experiences in “web 1.0” of the past in that we typically have had to perform all server functionality in a single page request, such as a user submitting a product to their cart, or searching for a set of records. This process meant that to process even the simplest of actions required a page refresh.
The shift towards Web 2.0 is something that we are seeing more of. A lot of developers are eager to get any form of AJAX integrated into their site just to feel current with the industry and say they are “doing web 2.0”. Often developers are jumping into Web 2.0 without thinking about the potential implications both on Accessibility or Security.
Recently I read an article appearing on CNet identifying the hype behind Web 2.0 neglecting the Security implications that Web 2.0 raise as web developers push for features, neglecting design and security.
The buzz around the new technology echoes the ’90s Internet boom–complete with pricey conferences, plenty of start-ups, and innovative companies like MySpace.com and Writely being snapped up for big bucks. And the sense of deja vu goes even further for some experts. Just as in the early days of desktop software, they say, the development momentum is all about features–and protections are being neglected.
In previous articles we have discussed the realistic threat of security exploitations such as Cross Site Scripting and some techniques to overcome the cross site script attacks. AJAX increases the possibility of security exploitation due to increased “attack surface”. By this it is meant that increasing the scripts and request infrastructure we are potentially opening up more areas for exploitation of our application.
The increased “attack surface” is the result of upping the complexity of the client side interface but also the additional server side scripting required to provide the required functionality. The analogy been thrown around at the moment is that Web 1.0 is more like a house with no windows, just one big door. In this model you can spend time putting great big locks and beefy security on that one big door. Web 2.0 introduces new windows that have to have equal security to secure the whole house.
The model of Web 2.0 is fairly new, and has no real official practices available for the average “joe” programmer to identify. Most script appearing online and in recent books are not intended for “Production Ready” sites. Often the average “joe” will be implementing a whole bunch of server side scripts and client side scripts without having the correct models to secure those scripts.
Before rushing out and implementing dozens of scripts to perform AJAX think of the potential security risks associated with creating those “windows” in your application and how you will treat the requests and any sensitive responses.
