There has been a tremendous shift in the usage of Internet and web applications from over a decade ago. These changes can be attributed to the development of Web 2.0 applications. The current generation of web based Internet applications are characterized by user generated content, social interaction, and collaboration, that emphasize on harnessing collective intelligence. These features have been made possible mainly by evolution of exiting tools and technologies ï€ especially Ajax. Corporations have also embraced Web 2.0 applications and this has opened new opportunities for promoting businesses and becoming successful. Unfortunately interactive nature of Web 2.0 applications has also made such applications even more vulnerable to hackers. In this paper overall characteristics of Web 2.0 have been examined and then categorized based on different technologies. Security issues and vulnerabilities of Web 2.0 applications including XSS, CSRF, DCO, and injection flaws have been identified. Especially in a corporate environment where security issues are critical, new security protocols (security 2.0) are required to complement Web 2.0. In this report few such security protocols are discussed. However until these security features are integrated within the development life cycle of an application, Web 2.0 applications will continue to remain vulnerable.
Introduction and significance of the topic
With the growing popularity of Web 2.0 applications, we are into a new generation of web applications where apart from receiving information, we also provide information. Emergence of social networking sites, blogs, and wikis has led to a seamless exchange of information within the global community of Internet users. We get to know about what is happening in our friend's life through social networking sites. With millions of users of Internet around the world, applications based on Web 2.0 have taken the front seat in web development. Apart from individuals contributing to the growth of Web 2.0 applications, organizations are also using this platform to increase their productivity and take benefits from the collaborative nature of Web 2.0 . Instead of new technologies, evolution of existing technologies has supported the growth of Web 2.0 applications. Though such websites were built on a network of trust, there are attackers who are abusing this trust. As we have become the everyday user of such Internet based applications, it is important to understand what threat this platform poses. In the context of computing environment and Internet wherein the number of people hooked to such web applications is increasingï€ hackers or third parties get more avenues to exploit vulnerabilities in the system. Being a student of web security I think it is important to find out security issues in such applications, especially because majority of popular web applications are based on Web 2.0 and thus are vulnerable.
Evolution of WWW
Origin of the Internet can be traced to a research network called Arpanet - a government funded project which was launched in 1969. Since then the Internet has undergone more than just a name change. But the real launch of Internet as a form of mass media occurred in 1995, with the release of a commercial web browser called Netscape. The World Wide Web (WWW) has experienced lots of changes and improvements regarding the content it delivers and how we deal with it. With the advancement of Internet technologies and innovations in developing web based applications, a user is not only the consumer of the content but also a participant in developing that content. The shift from Web 1.0 to Web 2.0 was further encouraged by the access of Internet via always-on broadband connectivity, mobile devices equipped with internet access and an urge to be always connected to the net.
Tim O'Reilly of O'Reilly media coined this term Web 2.0 in 2004 [1], with the primary goal of encompassing various novel phenomena occurring with the World Wide Web. "It is important to understand here that Web 2.0 is not a new technology ï€ it represents a paradigm shift in how people use it" [2]. It is about enabling and encouraging participation through open applications and services. Web 2.0 a new way of thinking which has revolutionized software development throughout its entire value chain ï€ from concept to delivery, and from marketing to support. Tim O'Reilly explained what Web 2.0 is by using seven principles or features which are considered as the core competencies of Web 2.0 applications [1, 3].
Characteristics of Web 2.0
The characteristics that Web 2.0 applications adhere to are [1, 3]:
Services, not packaged software, with cost effective scalability
In Web 2.0, software has become a service that is always on and always improving, with no installation, no version and no upgrades required. For a development organization, this shift impacts the entire software development and delivery process. The services provided by these web applications generate revenue for an organization. A very good example of such an application is Google.
Control over unique , hard-to-recreate data sources that get richer as more people use them
The service automatically gets better when more people use it. In Web 2.0 this is possible as consumers bring their own resources to improve the service. This implicitly reflects architecture of participation where the service harnesses the power of users themselves. An example of such a service is bit torrent where a user adds his/her own resources for other users.
Trusting users as co-developers
In today's Internet, success relies on the adoption of a perpetual beta development model in which software is continuously refined and improved. Users become co-developers and feedback from users help developers and organizations to make the product better.
Harnessing collective Intelligence
The concept of harnessing collective intelligence is potent and immensely powerful. It is based on the collaborative service provided by various websites. Companies like Amazon, Google, and EBay have used this concept of harnessing collective intelligence and thereby used customer inputs via features like review, blogging etcetera to further improve their service. Innovative companies that pick up on this insight and perhaps extend it even further are making their mark on the web. " Network effects from user contributions are the key to market dominance in the Web 2.0 era" [1].
Leveraging the long tail through customer self-service
"The long tail represents the collective power of small websites which constitute bulk of the Internet's content" [3,4]. Google and Overture figured out how to place advertisement on any web page which led to their success in online advertisement. "They eschewed publisher/ad-agency friendly advertising formats such as banner ads and pop ups that are not favored by consumers and replaced it with context-sensitive, consumer-friendly text advertising" [3, 4].
Software above the level of a single device
One important feature of Web 2.0 is the fact that it is no longer limited to a PC platform. It can be viewed as software above the level of single device. That means an application should be designed from the get-go with the aim of integrating services across handheld devices, PCs and Internet servers. Thus the focus while developing the application should not be dependent on any platform.
Lightweight user interface, development models , and business models
Web was being used to deliver applets and other kinds of active content within the web browser. However with unprecedented user interface innovation, web applications are being developed which are as rich as a PC based application. To succeed in Web 2.0 applications, along with simultaneous development, testing and release of new features, feedback of users is also necessary [3, 6].
Thus for any web application to be considered as web2.0, it must have the features mentioned above.
Closer Look at Web 2.0 applications
The essential difference between Web 1.0 and Web 2.0 is that Web 2.0 is more dynamic and interactive than its predecessor. Web 2.0 covers active, collaborative information rather than passive, receptive information; thus users act both as contributors and creators. "Web 2.0 is an umbrella term for several new web technologies described below" [5].
Blogs
Blogs are web sites where a user can enter their thoughts, ideas, suggestions, and comments. "Blog is short for Web log ï€ it is a powerful two-way web-based communication tool which enables an inexperienced user to become a worldwide publisher" [5]. It is the user of the application which is contributing to the content of the site by using it. "Most blogs are primarily textual, but some focus on photographs (photoblog or photolog), videos (videoblog or vlog), or audio (podcast) thus showing the richness of user interface in the web application" [5].
Wikis
In Web 2.0, the user is not just a reader of content but also a contributor to the content of web pages. "Wiki is a powerful web-based collaborative authoring system for creating and editing content" [5]. Multiple users from different geographical location can use Wiki based applications to provide content for the application. "It harnesses the power of diverse individuals to create collaborative works and supports evolvement, expansion and improvement of content incrementally over time" [5]. The user generated online encyclopedia Wikipedia is a wiki application based on MediaWiki server.
Mashups
A mashup application is created by combining information and services available on the Internet. "It lets you connect, collect and mash up anything on the web as well as data on some backend system" [5]. Mashups have become more popular with Web 2.0. Application programming interfaces (API) are used to create Mashup, one such API is Google Maps' API that can be integrated with any application that has data points. "A mashup's value isn't in the data or service itself, but in a better user interface for the data, or in its ability to combine data from several sources in interesting or significant ways" [5].
Tags, folksonomy, and tag clouds
Tagging was popularized by websites associated with Web 2.0 and is an important feature of Web 2.0 based applications. "Tags are keywords added to webpages via social page tag tools (del.icio.us) which are also known as labels" [5]. Tag is a keyword that is used to describe a piece of data which can be a word on a webpage or digital photo or any other type of media. "Folksonomy refers to user-created taxonomies of information and is inherently open ended and does not have hierarchy as in professionally developed taxonomies with controlled vocabularies" [5]. "A tag cloud is a visual depiction of a list of content tags used on a web site or blog, with some kind of visualization for each tag's popularity level" [5].
Thus we can say that Web 2.0 applications have moved the Internet forward to help and fulfill the promise of a more interactive Internet. The categories explained in this section broadly divides Web 2.0 applications based on a specific feature the application insists on.
Building blocks of Web 2.0 Applications
We have seen popularity of Web 2.0 applications in two major areas; one being user-generated content and the social network around it and the other being that provides support for rich user interface for web application, giving users the feel of a desktop application instead of a web application [8]. Rich Internet Applications (RIA) has taken browser based application to a new stage which provides look and feel of desktop application.
Asynchronous Java Script and XML (AJAX) is the technical foundation of RIA. It relies on better JavaScript and DOM implementations in the browsers and the ability to use HTTP from within JavaScript along with CSS, XML, XSLT, JSON and XML HttpRequest. Gmail application of Google can be considered as among the first applications developed in Web 2.0[8]. Emergence and evolution of web-related technologies are the key drivers of Web 2.0 application and AJAX, java scripts, graphics plug-in like Flash, SOAP, Micrformats and open API are the contributor technologies for Web 2.0.
Vulnerabilities in Web 2.0 Applications
Web 2.0 has evolved and transferred the Internet into a platform by supporting rich digital media technology for the development of innovative business, educational, and cultural applications [8]. Figure 1, represents the growth of popularity in terms of daily traffic rank for Wikipedia and Flicker, both of which were built on web2.0 technologies.
Figure 1: Growth in popularity in terms of daily traffic rank, of a) Wikipedia b)Flickr [9].
The very nature of interaction and collaboration of Web 2.0 has also made it popular among hackers. Evolution of existing technologies, like AJAX, and java script also pose big security risks. "Even properly developed Web 2.0 pages can cause problem for both clients and web servers" [7]. It carries more threat than Web 1.0 as it allows a user to upload contents that can have scripting capabilities ï€ this enables a hacker to run malicious code or deliver malware. "Harmful code can include keyloggers to capture key strokes of the victim, which is subsequently sent to the hacker. It can also turn a victim's machine into remote controlled zombies that hackers could use to launch spam, denial of service or other attacks" [7].
Technologies that make Web 2.0 successful are also creating loopholes from a security perspective. Mentioned below are some vulnerabilities that lie in technologies used in Web 2.0
Ajax
Ajax yields highly interactive fast programs with responsive interfaces because much of the data request occurs outside of browser window in the background. An application user won't be able to detect any problem with Ajax code which might have been modified by a attacker while sending request to server or when response is received from server. Thus a java script code can run arbitrary server-provided code on a client with full privileges.
Mashups
As discussed in the previous topic, mashups use a set of APIs published by website providers. The APIs allows the mashups to take information from various sites and use it in more innovative and informative way. As mashup application creator does not have any control on the security feature of API thus making the mashup application vulnerable.
Social Networking
Web 2.0 applications like social networking, content sharing, blogs have exploded, thus resulting in more user contents being uploaded for subsequent download by other users. Social networking sites provide little privacy for sharing private information but overall it has also resulted in more personal information and opinions being available with fewer privacy controls. Since uploading files to such websites has increased tremendously, a hacker can also include malicious code in the uploaded file ï€ thus the user downloading such files becomes the victim.
Security Issues of Web 2.0
Today Web 2.0 technologies are ubiquitous and thus it is necessary to investigate security issues in websites based on web2.0. Top security issues can be identified as:
Insufficient Authentication control
In Web 2.0 applications, content providers are many users and not just a trusted number of authorized group. This very feature of collaboration can be exploited by hackers to gain access to an administrative account, especially if correct security controls are not in place.
Cross Site Scripting (XSS)
Majority of attacks in web2.0 use some form of cross site scripting where hackers inject malicious code into legitimate dynamically generated web pages. "They exploit application layer to sneak into web applications" [15]. Two kinds of XSS are persistent and non-persistent [15]. In non-persistent attacks malicious code is added to a web page that is generated in response to a request whereas in persistent attacks malicious code is placed on the server and gets executed whenever it is accessed. The users which download such pages become the victim of malicious code and hackers gain access privileges to the victim's system and can steal data or change user's setting. To create rich user interface Ajax based application uses javascript to send request for resources in the background without the user's knowledge. Thus javascript code can then access the response to this hidden request and can send more requests. This expanded functionality of javacript along with Ajax increases the damage of XSS attacks. "On October 4, 2005 social networking site MySpace became the first victim of XSS when a worm (code named samy worm) used cross site script to bring the website down" [10]. Initially Samy, the MySpace worm creator, added a malicious payload to his profile. Subsequently any person who visited Samy's profile got infected and the malicious payload was added to the visiting person's profile, thus making him a source of infection too. "After 20 hours, as shown in Figure 2 the infectious profiles had exceeded more than one million" [11].
Figure 2: Total number of infection from samy worm after 20 hrs [10, 11]
Cross Site Request Forgery (CSRF)
"XSS exploits the trust a user has in a website whereas CSRF exploits trust a web site has in a user" [7]. " Because of the stateless nature of http protocol, a malicious website can force the user's browser to send unauthorized request to a trusted site" [17]. In this type of attack attacker first gain access to victim's computer and then send unauthorized request to those website or application where the victim has been authenticated[7]. Attacker exploits the privileges of the victim's computer.
Dynamic Code Obfuscation (DCO)
Dynamic code obfuscation is a new way to exploit browser vulnerabilities by hiding java script exploits. "Antivirus programs and security applications use scanners and pattern-matching software to look for known malware" [7]. However with the advent of Web 2.0, in which web sites makes it easy for users to upload content, hackers use DCO to spread malicious code and thus avoid the pattern matching of antivirus softwares. "DCO uses algorithms to add randomly generated code to a java script based web page .It does not affect the rendering of a browser nor does it make the page less harmful. But it keeps pattern matching software from recognizing the malware" [7]. Spam and phishing is used to launch DCO attack via e-mail messages containing link to malicious website which looks similar to popular legitimate websites. "The malware on the site takes advantage of browser vulnerabilities such as buffer overflows to place the malware, which is wrapped in DCO code, on a victim's computer" [12].
Injection Flaws
Web 2.0 applications are vulnerable to new type of injection flaws, such as XML injection, XPath injection, javascript injection, and JSON injection because Web 2.0 replies tend to use or rely on these technologies. With increase in user inputs brings increased risk too and using only client side validation is not sufficient for mitigating such attacks as attackers can easily bypass it.
The ability of users to add code to Web 2.0 is a major security concern and is a serious issue for site developers who must ensure that the generated pages are properly encoded. The failure to develop pages securely gives hackers opportunities for DCO, data-stealing, phishing and other attacks. For example, XML syndication, which sends updated information from web sites to subscribers, automates the retrieval of content that might include malware. Mashup web sites or applications that combine content or services from more than one source connect dynamically to third-party sites that might not be well-protected. All of these attacks make the users of such application vulnerable.
Mitigating Security issues in Web 2.0 application,
With emergence of social networking sites like Facebook, Orkut, and Myspace, users do not have any idea how to protect their own user generated content or how to trust in content provided by a mashup applications. Most of the web sites are content oriented, designed for publication, storage, aggregation and syndication of information, but majority of content on social web is composed of texts [13,14].
As Web 2.0 application is flourishing on Ajax based application, the vulnerabilities of such applications have also increased as XSS exploits use of Ajax. Shanmugam and Ponnavaikko , have proposed server side solution to address XSS vulnerabilities[15]. The solution comprised of four components namely analyzer, parser, thread controller and tag clusters. This approach needs an update in the XML data, when a new threat is introduced. Moreover, the approach addresses only the basic encoding attacks. This could increase the false negatives if some other encoding mechanisms are used by the hackers which are not covered in this approach now [15].
Bin Al-Tameem et.al. have proposed another approach to mitigate or prevent Ajax based vulnerabilities[16]. This introduces a prototype tool AJAX PRO, which considers vulnerability of web service architectures based on Web 2.0 in an AJAX environment. The AJAX application employs the web page-client framework in the web services ï€ especially the widely adapted data stream is the JavaScript Object Notation (JSON) data stream. The browsers send the data feeds and updates the JavaScript. The web server replies to the users through the browsers by returning data. When this is implemented without considering security, application inputs become vulnerable. The article proposes Ajax Client that is based on Model-View-Controller (MVC) architecture, with state changes rendered in the UI and sent to/retrieved from the backing server. AJAX PRO has a package of web service codes written using JavaScript APIs. Servlets are exposed to the end user through our Ajax client [16]. A similar system proposed in literature is prototype.js, and AJAX.NET [16]. It has been claimed that AJAX PRO is more effective in vulnerability prevention than other two types.
CSRF is another vulnerability that has emerged as a potent threat for Web 2.0 applications. As mentioned in the above section in CSRF, an unauthorized request is sent to any web domain without the knowledge of user. Alexenko et. al. propose a solution to detect CSRF signatures and how such attacks can be effectively resisted even before initiation [17]. It explains a very good example of how a CSRF attack takes place in a real scenario like stock trading and shows how easy it is to penetrate modern web pages that lack CSRF security. Automatically detecting CSRF attack is nearly impossible as attack code is application specific. Once again a client side defense mechanism is proposed that will preview the html code before a page loads to detect potential CSRF attack. It will check the "action" attribute of the "form" tags for deep linking. If such a form is found, the CSRF detector will prompt the user if they want to add the pairing of the website URL where the code is located and the URL of the form action to a white list [17].This is necessary because many social networking web applications require cross domain requests to function properly. However this method is unlikely to prevent all CSRF attacks; nonetheless it will still greatly decrease the number of attacks by making them more difficult to perform.
Conclusion and Future Work
Web 2.0 evolved over the years with the primary goal of encompassing various novel phenomena of the World Wide Web. Blogs, wikis, multimedia sharing services, content syndication, podcasting and content tagging service are Websites that are based on Web 2.0 and popularity of all these services has grown tremendously in recent years. Collaboration and user generated content are two important features of Web 2.0 which make it more vulnerable to attack. Emergence and uses of a new generation of Web-based technologies and standards including AJAX, java scripts, and graphics plugins like Flash, SOAP, Micrformats and open API introduce new security issues. Various types of attacks that can be launched against Web 2.0 applications are XSS, XSRF, injection flaws, phishing, and code injection by third parties in communication. Maintaining confidentiality and integrity of information is also a challenge. Few solutions that have been proposed in literature have been discussed here; however the effectiveness of these solutions could not be confirmed because of lack of evidence. Thus while developing an application, the need for Web 2.0 must be justified and use of AJAX should be used when improved user interface experience is required. Also vulnerabilities of an application should be analyzed by considering each security issue that arose with use of Web 2.0 technologies. Proper security mechanism must be implemented to prevent exploitation of those vulnerabilities. Until security is part of the complete application development cycle, web2.0 applications remain insecure.
Also discussed in this paper are steps an organization must take to incorporate second generation security protocols (security 2.0) in Web 2.0 applications. Some security issues that have been proposed in literature have been discussed here. However a complete solution for preventing attacks on Web 2.0 applications is not available, especially because the technologies are emerging and hackers are getting new avenues to exploit those technologies ï€ thus making it a never ending game of cat and mouse.
