Web 2.0: Twice the fun, twice the vulnerabilities

LAS VEGAS ' Browsers are being used in unexpected ways to support Web 2.0. This means that interactive Web applications are subject to the same vulnerabilities as client-server applications, as well as some new ones that developers might not have considered.

A case in point: Developers are using JavaScript as a transport format for Web data as a means of getting around the Same Origin Policy built into browsers. Browsers use the Same Origin Policy to ensure that one Web site does not use a third-party browser to gather information from a second Web site, said Brian Chess, chief scientist and founder at Fortify Software. Browsers partition information from different sites. But the policy assumes that information will be in HTML. The JavaScript in AJAX gets around that.

'It's very creative,' Chess said. But it also opens some Web sites to an exploit called JavaScript Hijacking. 'It's an unforeseen consequence of what sounds like a good idea.'

Chess is at this week's Black Hat Briefings security conference, pounding the drums for secure software development to help prevent such unintended consequences.

The current model of securing information technology systems by constantly adding more tools on the network or on the host is unsustainable because increasingly interactive applications by their nature find ways around or through these static defenses, Chess said. The new model for security should be software that can defend itself, he said.

JavaScript Hijacking, described earlier this year in a paper from researchers at Fortify Software, is an example of failure of traditional security. AJAX (Asynchronous JavaScript and XML) is a tool for writing software to enable the interactive components of Web 2.0, such as mashups, but it introduces security weaknesses.

'An application can be mashup-friendly or it can be secure, but it cannot be both,' the researchers write. 'The loophole in the Same Origin Policy is that it allows JavaScript from any Web site to be included and executed in the context of any other Web site. Applications that are built to be used in a mashup sometimes invoke a callback function at the end of each JavaScript message. A callback function makes a JavaScript Hijacking attack a trivial affair.'

Chess said there are demonstration exploits of such hijacking attacks, but he does not know if they have been found yet in the wild.

Not coincidentally, Fortify makes tools that aid in creating secure software by examining software in the development stage, examining its behavior for quality assurance and monitoring performance once it is in production.

Chess said he sees reason for hope in the current status of programming.

Overall, 'software developers are getting better,' he said. 'Some get it, and some don't.'

One company that he said gets it is Microsoft, which established its trustworthy computing initiative to save its reputation in the face of widespread dissatisfaction with buggy programs. The Windows Vista operating system is the first major product developed under the initiative to be released. Whether it results in a more secure operating system is yet to be seen, but the process has been changed, in large part because of public demand, Chess said.

'The public is catching on' due to the high visibility of identity theft and electronic-voting concerns, he said. 'People are increasingly intolerant of somebody just saying 'oops' ' in the wake of a security failure.

But the ability of public opinion to change development practices is limited outside of the consumer market.

'In the federal space it is coming on a little slowly,' Chess said. And the government is a major software developer. 'One of the things I am amazed at is the number of people there writing software.' Changing government development processes is a long, slow job, he said.

Chess is demonstrating different approaches to software security by hosting the Iron Chef Black Hat competition at this week's briefings. Two Fortify engineers will go head to head analyzing a surprise piece of mystery code for flaws. As an added fillip, the audience ' usually an interactive bunch at Black Hat ' will get the code at the same time so they can test themselves against the engineers.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • blockchain (whiteMocca/Shutterstock.com)

    What legislators are learning about blockchain

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group