Web 2.0 introduced new horizons for web technologies and allowed online communications where platforms are utilized to facilitate online sharing and interaction among online users. Such new technology introduced various risks and security vulnerabilities. The top Web 2.0 security vulnerabilities are: Insufficient Authentication Controls, Cross Site Scripting, Cross Site Request Forgery, Phishing, information Leakage, Injection flaws, Information Integrity, and Insufficient Anti-automation.
This article describes the types of web vulnerabilities initiated through the revolution of the Web 2.0 technologies and introduces some of the steps required to achieve the right implementation of web security. The article scratches the surface of many issues and challenges initiated by the revolution of Web 2.0, and layout the security risks that face many organizations and individuals in today’s online opportunities.
Web 2.0 is the term given to describe a second generation of the World Wide Web that is focused on the ability for people to collaborate and share information online. Web 2.0 represents the transition from static HTML web pages to a more dynamic web that is more organized and is based on serving web applications to users. Other improved functionality of Web 2.0 includes open communication via web-based communities of users, and more open sharing of information. Other components of Web 2.0 are Blogs, Wikis, and Web Services.
Some of the major characteristics often noted as descriptive of Web 2.0 that show a clear distinction from Web 1.0 technologies are the following:
- Ajax and other new technologies
- Google Base and other free Web services
- RSS-generated syndication
- Social bookmarking
- Wikis and other collaborative applications
- Dynamic as opposed to static site content
- Interactive encyclopaedias and dictionaries
- Ease of data creation, modification or deletion by individual users
- Advanced gaming.
The above characteristics show that Web 2.0 generation created a highly interactive, sophisticated and increasingly mission-critical platform. As businesses embrace Web 2.0 technologies and harvest benefits such as cost savings, better communications and improved employee moral – it is important that enthusiasm doesn’t result in ignorance of such risks. Increasing the ways to collaborate provide a greater opportunity for employees to leak out sensitive information out to places it should never go.
The majority of organizations and other entities recognize that a new approach to security is needed in this era of web collaboration, and web security has to be a high priority for many organizations to implement. While Web 2.0 offers many advantages in terms of enriching the Internet, improving the user experience, and creating web-based communities, it also opens the door to new propagation methods for malicious code. For example, Web 2.0 platforms enable individuals to upload web contents, and as such; these sites are easily susceptible to hackers wishing to upload malicious contents. Once the malicious content has been uploaded, regular visitors to the site can also be infected.
Web 2.0 Security Vulnerabilities
The use of a Web 2.0 platform for malicious purposes exploits various browser vulnerabilities and uses AJAX technology to download and execute a potentially malicious Trojan from a remote server simply by visiting the site, without taking any action, the visitors’ machines will be infected. Another good example of Web 2.0 security concern is the online banners advertisements that exploit windows vulnerability and infected millions of users with Spyware. Their machines would silently download a Trojan program that installs ad-ware bombarding the user with pop-up ads and tracking web usage.
In order to protect users from malicious AJAX queries, organizations and enterprises require security solutions that are capable of analyzing each web request in a Real-time code analysis of web content. Such analysis can be performed on the gateway between the browser and web servers, and it is proven that such method as an effective security solution since it analyzes each and every piece of content, regardless of its original source. Such approach will ensure that malicious content will not enter the network even if its origin is a highly trusted site. Moreover, understanding what the code intends to do even before it does it, adds a significant and crucial layer of defense that will prevent the use of such attacks.
To protect against today’s highly sophisticated web threats, organizations and enterprises should adopt a multilayer approach where both proactive (e.g. real-time inspection), and reactive (e.g. signature-based) security technologies will be implemented. The use of multiple Security solutions must become a standard approach for any organization to protect its internet-connected assets.
Many of the security reports revealed the top Web 2.0 security threats, and such reports designed to serve as a guideline of assessing the risk involved with using Web 2.0 tools in the workplace, and look at the types of vulnerabilities that Web 2.0 can bring to a business environment. In addition, these reports show that improper use of the new technologies could lead to nightmares down the road and serious security implementations are needed to address the security challenges posed by the Web 2.0 technologies. The reports promote awareness, industry standards, best practices, and interoperability issues related to the use of the new tools in the workplace. The following are the top Web 2.0 security vulnerabilities:
- Insufficient Authentication Controls – Web 2.0 application’s system design can be exploited by hackers who can have access to a greater number of administrative accounts where passwords can often be easily cracked if the correct security controls are not in place. The systems also may have a single-sign-on environment which can make it easy for attacks.
- Cross Site Request Forgery (CSRF) – With this attack, victim visit what appear to be innocent-looking web sites, where they contain malicious code that can generate requests to a different site instead. With the use of AJAX, Web 2.0 applications are potentially more vulnerable to this type of attach. Web 2.0 systems lack visual feedback, and as such; make this attack less apparent.
- Phishing – Although phishing isn’t just a risk associated with Web 2.0 technologies, such new technologies make it harder for consumers to distinguish between the genuine and the fake web sites, and as such; enables more effective phishing attacks.
- Information Leakage – Web 2.0 brought a new lifestyle that has begun to blur the lines between work and private life, and because of this psychological shift, individuals may inadvertently share information their employer would have considered sensitive. Also, the accumulation of sharing small non-sensitive can allow business’s competitors to gain intelligence about the company and used against businesses.
- Information Integrity – Data integrity is one of the key elements of data security. Although a hack could lead to loss of integrity, so can unintentional misinformation. In a business environment, having systems open to many users allows malicious or mistaken users to post and publish inaccurate information which destroys the integrity of the data.
- Insufficient anti-automation – Programmatic interface of Web 2.0 applications let hackers automate attacks easier. Anti-automation mechanisms such as Captchas can help slow down or frustrate these types of attacks.
Essential Steps toward Web Security
Organizations and enterprises recognize that a new approach to security is needed to eliminate the threats imposed by the implementation of Web 2.0 technologies, and such threats will never stand still. There are certain steps that have to be followed by organizations that can promote best practice in web security, and some of these steps are:
- The best web security starts with policy – Creating a sensible policy is not difficult. Organizations have to make sure everyone understands and accepts the rules and enforce the policy with technology at every gateway, setting up monitoring rules to detect possible misuse, and continually review the policy to stay current with changes in the way the web is used.
- Fine tune the policy – When it comes to policy, one size doesn’t fit all. An organization’s policy should reflect the way it does business, and it is sensible to tailor policy to fit the business. The bottom line is that policy should dictate your technology, not other way around.
- Attack spyware from multiple angles – Spyware is one of the more annoying web hazards, and organizations have to fit it from three directions:
a- Stop it at the gateway with automated filtering and Spyware profiling.
b- Stop it at the desktop by scanning regularly to eradicate embedded spyware
c- Preventing it from reaching users by proactively detect and strip active content from usually trusted sources.
- Block undesirable websites – Organizations and enterprises has to use URL filters to block sites the policy demand such as gambling, pornography, remote proxies, malware and phishing sites. Also, supplement the filter with dynamic real-time categorization, a blacklist, and exception white-list.
- Break open container files – An innocent-looking spreadsheet could carry an embedded virus, a presentation could deliver a spyware payload, a word document could become the infection vector through embedded active content, and a zip file could conceal any number of files that might infect organization’s network. Organizations’ web security must be able to decompose container files like these in order to scan for deeply embedded content. Hidden information in documents should be transparently removed at gateways to prevent data leakage.
- Watch your uploads – Companies that defend against the threats involved with web downloads are often vulnerable to threats traveling in the reverse direction. Organizations have to ensure that security defenses are implemented two-ways.
- Social networking and productivity – Many organizations and enterprises have been quick to recognize and exploit the benefits of social-media tools to improve customer relations. Also, organizations increasingly understand that Web 2.0 tools can improve employee relations. It’s important that such technology be balanced with productivity by including browsing schedules and time quotas in the organization’s web security policy.
- Monitor all web activity – Web security with any organization should include comprehensive monitoring, reporting and analysis. Good monitoring and reporting will let organizations spot suspicious activity early, revise their policy when needed, and improve allocation of resources.
- Simplify policy enforcement – Web security can encumber the entire IT department with any organization unless it is simplified, automated and streamlined. Deploying, updating, managing and monitoring processes need to be designed with the real world in mind. Over-complicated or poorly integrated web security not only wastes time and resources, it weakens organizations’ defenses. Proper policy enforcement should be able to integrate with the environment to simplify the way enforcement is performed, improve the detection accuracy, and reduce the number of incidents to be managed.
- Innovate and grow business – Balancing the requirements for strong network security with the need to harness collaborative web technologies is essential for business growth. Organizations and enterprises need to exploit and benefit from modern web technologies and services, while ensuring that company networks remain fully protected against incoming threats and data leakage.
The web is a highly interactive, sophisticated and increasingly mission-critical platform, as businesses embrace Web 2.0 technologies, and its benefits like cost savings, better communications and improved morale – it is important that enthusiasm doesn’t result in ignorance of the risks involved with such technologies.
The evolution of the Internet has had a profound effect on the way businesses and individuals work, and communicate. While Web 2.0 and AJAX have greatly enhanced the user experience and added important business functionality, they also introduce opportunities for hackers to invisibly inject and propagate malicious code.
Reactive signature-based solutions are not designed to detect these types of dynamic malicious web scenarios, and as such; they’re not enough alone to provide the type of security protection against the modern hacking methods. The prevailing assumption that an anti-virus or URL filtering lab can put its hands on each and every piece of malicious code, and create a signature is no longer valid in today’s web threats. On the other hand, real-time security solutions which are able to analyze web content on-the-fly as it occurs and detect whether or not it is legitimate, regardless of its source are the critical solutions to stop these threats.
Finally, with the implementation of Web 2.0 into the workplace, it’s important that organizations have to have a good understanding of the types of risks involved. That said, while Web 2.0 may present different types of challenges, those are not necessarily any worse than the risks involved with legacy applications. The opportunities that Web 2.0 technology can provide a business make overcoming these potential threats worth the effort.
Ben, Y. (2007)Tackling the Security issues of Web 2.0 [Online]. Available from: http://www.scmagazine.com/tackling-the-security-issues-of-web-20/article/35609/ (Accessed: Nov. 30, 2013)
Perez, S. (2009) Top 8 Web 2.9 Security Threats [Online]. Availa9ble from: http://readwrite.com/2009/02/16/top-8-web-20-security-threats#awesm=~ooFigYqrMT4zlN (Accessed Nov. 30, 2013).
Needle, D. (2010) Web 2.0 Privacy and Security Issues Won’t Go Away [Online]. Available from: http://www.esecurityplanet.com/trends/article.php/3878546/Web-20-Privacy-and-Security-Issues-Wont-Go-Away.htm (Accessed Nov. 30, 2013).