Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×

Top 10 Web 2.0 Attack Vectors 64

Posted by kdawson from the danger-2.0 dept.
Fred writes, "HNS is running a story about Web 2.0 and the new attack vectors it opens up. Worms of the Yamanner, Samy, and Spaceflash types are exploiting client-side AJAX frameworks, providing new avenues of attack and compromising confidential information. On the server side, XML-based Web services are providing distributed application access through Web services interfaces and opening up new vulnerabilities in the process." The article is spread over 6 short pages and there is no printer-friendly URL.
This discussion has been archived. No new comments can be posted.

Top 10 Web 2.0 Attack Vectors More

Top 10 Web 2.0 Attack Vectors

Comments Filter:

  • No substance (Score:5, Interesting)

    by suv4x4 ( 956391 ) on Monday October 09, 2006 @04:02PM (#16368913)
    Most of those "attack vectors" boil down to injections and non-validated data, AKA "don't trust the user input". I don't know how they managed to multiply one single flaw into so many "vectors".

    And there's also this "attacking scripts in RSS": what was this supposed to mean? My RSS readers don't execute script in RSS. No examples, no links.

    One more talked about hijacking confidential information from a bank cookie. No example how this is done, just the author assumes we know how to automatically sniff the cookie, and that the bank doesn't use server-side sessions like 99% of them out there, but stores it all in a plain cookie.

    Basically the article is not as fun or informative as the title suggests.

  • Re:No substance (Score:3, Interesting)

    by possible ( 123857 ) on Monday October 09, 2006 @04:13PM (#16369089)
    I think the article does have some problems of clarity, but don't be so quick to dismiss the security issues. Using Cross-site request forgery (XSRF) against a vulnerable application, I can use a page with a hidden form (submitted automatically with JavaScript) to launch a silent cross-domain POST to your online bank (changing your password). Even if your online bank uses server-side sessions, the browser is nice enough to automatically send its cookies with my POST request. Chances are your bank is not protected from XSRF, as very few web applications are today.

  • Re:No substance (Score:4, Interesting)

    by daviddennis ( 10926 ) <david@amazing.com> on Monday October 09, 2006 @08:55PM (#16372863) Homepage
    Guess what?

    Samy's worm did exactly that.

    Relevent extract from his fascinating account [www.namb.la], well worth reading in its entirety:

    9) Finally we can do a POST! However, when we send the post it never actually adds a friend. Why not? Myspace generates a random hash on a pre-POST page (for example, the "Are you sure you want to add this user as a friend" page). If this hash is not passed along with the POST, the POST is not successful. To get around this, we mimic a browser and send a GET to the page right before adding the user, parse the source for the hash, then perform the POST while passing the hash.

    I must say I was quite impressed, not to mention frightened half to death, by what Samy went through to create his worm. It was not a simple task at all. I had thought before that nobody would waste their time doing something like this; I was, of course, wrong.

    The consequence of his story is that I changed my own social networking site [amazing.com] to become a lot more secure. I didn't like doing it because I would have preferred to let people do what they want, but that artilce was a real eye opener as to how dangerous that would have been.

    D

Slashdot Top Deals

This file will self-destruct in five minutes.

Close