The term Web 2.0 is certainly over-marketed, but nobody denies that web 2.0 sites are quite 'sexy'. Both users and developers have fallen in love with Ajax, the technology behind many new sites. But what is the impact in terms of security? For a security expert, the following questions arise: Is the web 2.0 safer than before? Can a web 2.0 application be protected by a web application firewall? Is it harder to protect than a traditional web application? And last, but not least: How does Airlock help to achieve maximum security in this new era?
The term Web 2.0 has been (mis-)used for all sorts of things. I will not even try to give you a definition here. I just want to highlight two aspects of typical web 2.0 sites that are relevant for security considerations.
One of the characteristics of popular web 2.0 sites is that much of their content is provided by their users. Wether it is a personal profile page of a social network or a blog entry and all the reader comments: A web 2.0 site often just offers a framework for the users to define the majority of the site content.
The security impact is that validation of user input becomes crucial. One of the most dangerous attacks against inadequate input validation is Cross-site Scripting (XSS). This is nothing new - XSS has been in the top ten vulnerabilities list for many years. But with the rising popularity of user-driven sites, XSS will become even more important.
Most sites use Ajax to improve user experience, some of them achieve a behaviour close to a native (rich client) application. By updating parts of an HTML page dynamically, both speed and usability of an application may be improved. So much for the users' benefit.
Security experts agree that Ajax opens a few new attack doors like the XMLHttpRequest object. The JSON attacks found at the beginning of 2007 have shown that a majority of the Ajax frameworks were vulnerable to a new class of attacks.
The classic vulnerabilities are still there, but they are easier to find and to exploit: Because part of the logic is sent to the browser (maybe icluding documentation), internal information is readable for anyone. Such a "JavaScript-centric" application serves its implementation source code on a plate to the attacker. This helps a lot, already when preparing an attack by forceful browsing!
The unique URL encryption feature of Airlock does typically not work with Ajax requests, at least not out-of-the-box. This is because with Ajax, the URL is often assembled in JavaScript on the client side. The only way to achieve maximum security is to manually configure additional Allow Rules for these special requests*. We are currently working on new features that help you automating this task. This includes the automatic generation of white list rules based on legitimate requests (also called learning mode).
*Please note that URL encryption can still be used as an automatic white-list protection for the application's non-Ajax parts.
Web 2.0 changes the security landscape in these areas: