Attacking Web 2.0 at LinuxWorld

Researcher offers new examples of how bad guys are exploiting flaws.

At LinuxWorld today, SPI Dynamic's senior security engineer, Matt Fisher, talked about the vulnerabilities of Web 2.0. His talk, although not much different from that of his colleagues Billy Hoffman and Brian Sullivan last week at Black Hat , offered some new examples of what criminals are doing online, armed with little more than a desktop browser. Cross-site scripting attacks are the No. 1 threat, according to the Mitre organization, in part because they are so easy to do.

In particular, Fisher singled out social-networking sites. Because the site depends on user content, the site allows users to upload HTML code, and in most cases, any HTML code. Knowing this, Fisher said someone could put a malicious script code into a blog post where it would sit until someone came along and read it. What bad could possibly happen from that, you might wonder? Fisher said that when someone in a corporate environment opens it, the attacker can then execute code inside the corporate perimeter on the internal network.

If that attack is too passive, Fisher suggested another scenario. In this scenario an attacker embeds malicious JavaScript into a customer help ticket. The help ticket is archived inside the corporate network. Every time a customer-support technician opens the help ticket, the code infects his or her desktop, and potentially, the corporate network.

Unlike operating system vulnerabilities, which can be addressed with a patch, cross-site scripting attacks aren't generic; they're specific to the Web application. The key to mitigating these attacks is to limit what end users can and cannot do on the site. That sounds simple, but newer Web 2.0 sites often don't check for common, even old-school methods of attack.



Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

Saving your life at speed and in style

Volvo have been responsible for some of the greatest advancements in car safety. We list off the top ways they've kept you safe today, even if you don't drive one.