Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:47 AM
Connect Directly

Q&A: What to Do About Web 2(.0)

In an exclusive interview, Imperva co-founder talks Web 2.0 security risks, protection strategies, and how end-user education is a waste of time

Everyone's talking about Web 2.0 security. But what can you really do about it? In an exclusive interview, Amichai Shulman, co-founder and CTO of Imperva and one of the Web's most widely-recognized security researchers, spoke with Dark Reading senior editor Kelly Jackson Higgins about the emerging risks in Web 2.0, and how organizations can protect themselves.

Figure 1:
Amichai Shulman, co-founder and CTO, Imperva

DR: In the spirit of Web 2.0 security education, let's define the term "Web 2.0," which seems to be a moving target sometimes. How do you define these types of applications?

Shulman: We've [Imperva's Application Defense Center research group] identified three major Web 2.0 terms. The first is rich interface applications, which everyone calls Ajax, but there are other technologies involved in this... sometimes flash, etc. These make Web apps more user-friendly and GUI-oriented, so there's less clicking.

The second is RSS, which is now evolving into mashups, and all this stuff. The third area is user participation -- the server-side technology, and a behavior where users build up the content and destruction of Web apps, like YouTube, MySpace, LinkedIn, etc.

DR: Where among these types of Web 2.0 apps have you witnessed security threat activity?

Shulman: We've seen Ajax-enriched and user-participation type applications [targeted]. There have been some threats to mashups, but those are more client-side related threats, not in the scope of Web apps security. With a lot of application logic moving toward clients, the line between the client and server side is blurring... We're seeing all types of threats coming back in.

DR: What's the nature of the security problem with the Web 2.0 model?

Shulman: Things related to bad session management, given that access control is on the client side rather than at the server side. The same old threats here are coming back, and are stronger, because programmers are putting security logic on the client side and leaving the server vulnerable. This is a larger attack surface.

Because this type of app is composed of much smaller modules, each having a specific function, it needs to be secured, and the probability of having an unsecured module rises... And with Ajax, an administrator doesn't see the URL generated by your client app. Everything happens behind the scenes... It becomes really hard to understand the logic and structure you have to protect.

It's not that Web 2.0 is introducing new vulnerabilities, but making app security harder to implement.

DR: So what specific vulnerabilities can these applications have?

Shulman: We're seeing more session management issues... An unauthenticated client can join the access-protected areas of the server. Forceful browsing to bypass authentication is probably the most common of the [session management-type] attacks.

Basically, the attackers are subverting the application logic but not following the flow as was intended by the programmers. SQL injection is big, as is parameter-tampering. Other types of threats are cross-site scripting [XSS], cross-site request forgery [CSRF]. XSS happens when the client-side logic regards information from the server as something that should be executed... While XSS existed before Ajax apps, it has become more common with them. The same goes for user-participation type apps. The more users affect the content of the site and are able to put JavaScript into the site, the more mobile code can be executed on the client side.

DR: What recent attacks best illustrate the Web 2.0 security threat?

Shulman: The most famous incident was the Samy worm in MySpace. And there was a Gmail XSS and CRSF vulnerability that abused some Google capabilities.

DR: What technologies today can help protect organizations from Web 2.0-based attacks?

Shulman: For the past two years, the way to protect Web apps has been with Web app firewalls. But can they handle the threat scenarios of Web 2.0?

DR: Not all WAFs are equipped for this. What features do they need?

Shulman: They [need to] mitigate session management, parameter-tampering, cookie-tampering, which our products do. We [Imperva] also have a strong XSS and CSRF engine, and a profiling engine, so you don't have to know your app in order to protect it.

DR: Should end users be taking some of the responsibility for security with these apps?

Shulman: I don't believe in user education. I spent my first few years [in this industry] trying to educate users in the military on security... That should be easier, but it never worked. There's not much you can do with user education.

DR: What are some best practices you recommend for mitigating Web 2.0 attacks?

Shulman: This should be a high priority for anyone launching Web-based apps in the next two years.

Always have your security logic on the server. Sanitize user input prior to use. Augment your internal application security with an external Web application firewall.

Input sanitation is probably the most prominent of all. That is, remove from user input any characters that are not expected per that specific input. But although this is a key mitigation technique, it is hard to implement in real-world applications, where you have thousands of input fields with different characteristics.

Another key mitigation technique is proper session management using session cookies with a random value.

I think application owners need to be sure apps are safe, and not vulnerable to XSS and CSRF and that they have proper session management. They can do this by building better apps, which is hard, or by using Web application firewalls.

And 50 percent of the solution is understanding the problem.

Imperva tomorrow will announce a free March 14 Webinar on best practices for Web 2.0 applications, plus a free White Paper that spells out the specific vulnerabilities and how to prevent falling victim to them.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Imperva Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/9/2020
    Omdia Research Launches Page on Dark Reading
    Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
    4 Security Tips as the July 15 Tax-Day Extension Draws Near
    Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-10
    Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
    PUBLISHED: 2020-07-10
    In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
    PUBLISHED: 2020-07-10
    Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
    PUBLISHED: 2020-07-10
    osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
    PUBLISHED: 2020-07-10
    An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...