120 likes | 234 Views
Web 2.0 security. Kushal Karanjkar Under guidance of Prof. Richard Sinn. What is Web 2.0?. Second generation of world wide web. Transition on world wide web for computing platform, social networking sites, communication tools and other internet based services.
E N D
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn
What is Web 2.0? • Second generation of world wide web. • Transition on world wide web for computing platform, social networking sites, communication tools and other internet based services. • Download and upload (distributed developer) • Simple, Interactive, attractive • Facebook, Wikipedia, MySpace, Ebay.
Web 2.0 Architecture News Document RSS feeds email Internet BLOG SOAP,REST,XML-RPC HTTP/HTTPS Internet Ajax, Flash(RIA), HTML/CSS, JS, DOM Web Service | Ajax, Web Server SOA|SAAS , API Web Service Web Client Scripted web Engine Web Server Web Services Application server Database Web service Endpoint
Web Security Threats • Cross-site scripting • XML Poisoning • Malicious Ajax Code Execution • RSS injection • Dynamic Code Obfuscation • WSDL Scanning and Enumeration • Client Side validation in AJAX routines • Web services routing • Parameter manipulation • XPATH injection in SOAP message
Dynamic Code Obfuscation • Attack - code Obfuscation – Encryption Algorithm - Attacker places an encrypted code on user’s computer and destroys his data. - Difficult to detect actual(malicious) code, embedded in web page - Anti-viruses can not detect it. • Solution: De-obfuscation - Reverse engineering process in which the obfuscated code is decrypted to original code.
Dynamic Code Obfuscation Network De-Obfuscator SECURED WEB SITE
!! WARNING !! Demo Network De-Obfuscator
Cross site scripting • Dynamic content • Input parameter from user – Display on same page • Malicious JavaScript code from a particular Web site gets executed on the victim’s browser WelCome to Web.com response.sendRedirect (“login.jsp?ErrorMessage (“invalid username”)”); Username Password response.sendRedirect (“login.jsp? ErrorMessage (){ </script>< form action=“WrongWeb.jsp” method =Post ><script> }; Submit Cancel New User SignUP!
Detection: • Can be detected easily by many single-user detector firewall. • </Script pattern. • Suggested Solution: • Do not display JavaScript when it is not required. • Filter user input, whenever there seems to have chances of attack. • Encoded output based on the input coming from user.
Conclusion • Web 2.0 is an emerging technology • Web Services such as AJAX,RIA have improved the overall effectiveness and efficiency of web applications. • Increased WEB 2.0 security awareness, secure coding practices and secure deployments offer the best defense against any attack.
Reference [1] O’Reilly, T.(2005)What Is Web 2.0:Design Patterns and Business Models for the Next Generation of Software, O’Reilly publication (September 30,2005) [2] Dr. Cobb, M. (2007) Dynamic code obfuscation: New threat requires innovative defenses , Information Security Magazine (August 3, 2007). [3] Shah, S. (2006) Top 10 Web 2.0 attack vectors <http://net- square.com/whitepapers/Top10_Web2.0_AV.pdf > (October 4, 2006) [4] Shah,S.(2007) Hacking Web 2.0 - Defending Ajax and Web Services, HITB, Dubai <http://www.slideshare.net/shreeraj/hacking-web-20-defending-ajax-and-web-services-hitb-2007-dubai/> (April 5,2007). [5] Linder, P.(2002) Preventing Cross-site Scripting Attacks<http://www.perl.com/pub/a/2002/02/20/css.html> (February 20, 2002.)