Академический Документы
Профессиональный Документы
Культура Документы
Web 2.0 is the business revolution in the computer industry caused by the move to the internet as a platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects to get better the more people use them -Tim OReilly
A Transition
Web 2.0
The term Web 2.0 is commonly associated with web applications that facilitate interactive information sharing, interoperability, user-centered design, and collaboration on the World Wide Web. Web 2.0 draws together the capabilities of client- and server-side software, content syndication and the use of network protocols. Standards-oriented web browsers may use plug-ins and software extensions to handle the content and the user interactions. Web 2.0 sites provide users with information storage, creation, and dissemination capabilities that were not possible in the environment known as "Web 1.0". Examples of Web 2.0 include social-networking sites, blogs, wikis, video-sharing sites, hosted services, web applications, mashups and folksonomies
Wikis
Tagging and Social bookmarking Multimedia Sharing
Client Side Server side Web Technologie Technologie services s s XHTML CSS AJAX VRML ASP.NET PHP CGI JSP SOAP WSDL UDDI
Web-related technologies and standards is key driver of the development of Web 2.0 Web as platform :
Software
applications ran on the users machine, handled by a desktop operating system In Web as platform, umbrella software services are run within the actual window of the browser, communicating with the network and remote servers.
Ajax
Shorthand for Asynchronous JavaScript and XML - a term first coined by Jesse James Garrett in 2005 Removes the need to reload entire web page each time the user makes a change. only small amounts of information pass to and from the server once the page has first been loaded. The Ajax engine processes every action , that would normally result in a trip back to the server for a page reload, before making any really necessary referrals back to the server. Increase the web page's interactivity, speed, and usability
Flash allows sophisticated, but quick-to-download, vector graphics and animation to be displayed in the browser window
Microsofts WPF/E32,XBAP, and the related XAML33 all of which feature heavily in the Vista operating system
Ethan Nicholass proposed, minimalist Java Browser Edition
Microformats
Microformats are widely used by Web developers to embed semistructured semantic information (i.e. some level of meaning) within an XHTML webpage (Khare, 2006). Information based on open data formats (a microformat) is buried within certain XHTML tags (such as class or div) or attributes (such as rel or rev). The information is not used by the browser for display or layout purposes but it can be picked up by applications such as search engines. An example of a microformat is the hCard format which allows personal or organisational contact information based on the vCard standard to be embedded in a webpage
Open APIs
An Application Programming Interface (API) provides a mechanism for programmers to make use of the functionality of a set of modules without having access to the source code.
An API that doesnt require the programmer to license or pay royalties is often described as open. Such open APIs have helped Web 2.0 services develop rapidly and have facilitated the creation of mash-ups of data from various sources.
Cross Site Scripting Cross Site Request Forgery SQL Injection Authentication and Authorization Flaws Information Leakage Insecure Storage Insecure Communications
XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. Non-Persistent Reflected
Persistent Stored
DOM Based
A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable web application, which then forces the victims browser to perform a hostile action to the benefit of the attacker.
SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
These flaws can lead to the hijacking of user or accounts, privilege escalation, undermine authorization and accountability controls, and cause privacy violations.
These flaws could allow sensitive data to be stolen if the appropriate strong protections arent in place.
Not encrypting sensitive data Hard coding of keys and/or insecurely storing keys Using broken protection mechanisms (i.e. DES) Failing to rotate and manage encryption keys
Not encrypting sensitive data in transit Only using SSL/TLS for the initial logon request Failing to protect keys whilst in transit Emailing clear text passwords
Insecure communications
data in more places, including client side storage Mixing secure and insecure content on a page
More code and complexity in Web 2.0 apps Security analysis difficulties with Web 2.0
At
least two languages to analyze (client and server) User supplied code might never be reviewed Dynamic nature increases risk of missing flaws Increased amount of input points
not to focus on specific vulnerabilities Develop securely, not to prevent hot vuln of the day Build security into the code, dont try to bolt it on at the end
XSS, * Injection XSS, * Injection, Encoding issues Information Leakage Weak Access Control, Insufficient A+A, CSRF Timeouts, Strong Session IDs, CSRF
Output Validation
Error Handling
Session Management
Secure Communications
Secure Storage
Conclusion
Web 2.0 hard to define, but very far from just hype
Openness allows communities to assemble unique tailored applications We can all benefit by adopting Web 2.0 principles of openness and sharing.
Because
of web as platform there is huge potential for new kinds of web applications