There's really no way to prevent malicious scripts from being uploaded to most of today's Web 2.0-based sites. These sites, which allow users to create their own content, are wildly popular for social networking, blogging, and other interactive, community-based activities, but they can harbor some wild exploits, too. (See The Web App Security Gap.)
Luckily, most Web 2.0 exploits thus far have been fairly benign, such as worms, says Matt Fisher, a security engineer for SPI Dynamics, who discussed the latest Web application threats at the Computer Security Institute's 33rd Annual Conference and Expo in Orlando. "But what if someone were to use [Web 2.0] maliciously?" he says, such as with a zero-day browser bug like the recent VML one. (See Security Management in Flux and ZERT Issues 'Stopgap' IE Patch.)
John McCormack, senior vice president of product development at Websense, says Web 2.0-based sites such as MySpace aren't in the business of screening or censoring content. "So those environments open up a rich vector for people who have malicious intent to put bad content in," he says, adding that catching scripting malware is an area Websense is working on.
Websense today can find some scripting errors, he says, such as JPEG exploits.
SPI Dynamics' Fisher says Web 2.0 sites have so much content that it's not feasible for them to sort through their pages for malicious content. And script injection has evolved from attackers simply stealing a session ID or page value to a remote man-in-the middle attack with cross-site scripting (XSS), he says. (See Hackers Reveal Vulnerable Websites.)
"We see a lot of SQL injection out there. It's bad because it's a direct attack against the application."
So how do you protect yourself from these types of Web attacks? Fisher recommends penetration testing and quality assurance testing of Web apps before deploying them. "It's really important to find and fix bugs" at this stage.
Fisher says Web applications are being targeted because most security people are not software developers and vice versa, so it takes some training on both ends to properly secure your Webs apps.
Meanwhile, another CSI speaker separately echoed the theme of securing applications at the host. "All the controls we have in perimeter security now, everything we do there now shrinks to the host," says Brian O'Higgins, CTO for host-based IPS vendor Third Brigade. "Perimeters are porous, so we have to protect our hosts."
Kelly Jackson Higgins, Senior Editor, Dark Reading