What is Web 2.0?

Web 2.0 is the business revolution in the computer industry caused by the move to the internet as a platform, and an attempt to understand the rules for success on that new platform. Chief among those rules is this: Build applications that harness network effects to get better the more people use them -Tim OReilly

A Transition

Web 2.0

The term Web 2.0 is commonly associated with web applications that facilitate interactive information sharing, interoperability, user-centered design, and collaboration on the World Wide Web. Web 2.0 draws together the capabilities of client- and server-side software, content syndication and the use of network protocols. Standards-oriented web browsers may use plug-ins and software extensions to handle the content and the user interactions. Web 2.0 sites provide users with information storage, creation, and dissemination capabilities that were not possible in the environment known as "Web 1.0". Examples of Web 2.0 include social-networking sites, blogs, wikis, video-sharing sites, hosted services, web applications, mashups and folksonomies

Key Web 2.0 services/ Applications

Blogs

Wikis
Tagging and Social bookmarking Multimedia Sharing

Audio blogging and podcasting

RSS and Syndication New Web 2.0 services and Apps

Service Oriented Architecture in Convergence with Web 2.0

Factors to be included in considering SOA with Web 2.0

Software as a service Web Technologies

Mash Ups

Client Side Server side Web Technologie Technologie services s s XHTML CSS AJAX VRML ASP.NET PHP CGI JSP SOAP WSDL UDDI

RSS ATOM Web Apps

Tools for SOA and Web 2.0

Microsoft BizTalk Server Microsoft SharePoint Server Microsoft Visual Studio Microsoft Silver Light ASP. Net AJAX (Atlas) Microsoft Expression Studio Windows Live APIs

Technology and Standards

Web-related technologies and standards is key driver of the development of Web 2.0 Web as platform :
Software

applications ran on the users machine, handled by a desktop operating system In Web as platform, umbrella software services are run within the actual window of the browser, communicating with the network and remote servers.

Ajax

Shorthand for Asynchronous JavaScript and XML - a term first coined by Jesse James Garrett in 2005 Removes the need to reload entire web page each time the user makes a change. only small amounts of information pass to and from the server once the page has first been loaded. The Ajax engine processes every action , that would normally result in a trip back to the server for a page reload, before making any really necessary referrals back to the server. Increase the web page's interactivity, speed, and usability

Alternatives for Ajax

Flash allows sophisticated, but quick-to-download, vector graphics and animation to be displayed in the browser window

Microsofts WPF/E32,XBAP, and the related XAML33 all of which feature heavily in the Vista operating system
Ethan Nicholass proposed, minimalist Java Browser Edition

SOAP vs REST: Web architecture debate

REST stands for Representational State Transfer first introduced by Roy Fielding in 2005 It is not a standard, but describes an approach for a client/server, stateless architecture provides a simple communications interface using XML and HTTP. the use of HTTP lets you communicate your intentions through GET,POST, PUT, and DELETE command requests. SOAP Stands for Simple Object Access Protocol are more formal and use messaging, complex protocols and Web Services Description Language (WSDL). Sean McGraths view He describes the Web as an enormous information space, littered with nouns and a small number of verbs . Where SOAP is more of a Verb Noun system he argues that SOAP/WSDL allows the creation of too many (irregular) verbs. There is considerable debate between communities of developers over these issues.

Microformats

Microformats are widely used by Web developers to embed semistructured semantic information (i.e. some level of meaning) within an XHTML webpage (Khare, 2006). Information based on open data formats (a microformat) is buried within certain XHTML tags (such as class or div) or attributes (such as rel or rev). The information is not used by the browser for display or layout purposes but it can be picked up by applications such as search engines. An example of a microformat is the hCard format which allows personal or organisational contact information based on the vCard standard to be embedded in a webpage

Open APIs

An Application Programming Interface (API) provides a mechanism for programmers to make use of the functionality of a set of modules without having access to the source code.

An API that doesnt require the programmer to license or pay royalties is often described as open. Such open APIs have helped Web 2.0 services develop rapidly and have facilitated the creation of mash-ups of data from various sources.

The Security Risks of Web 2.0

Differences between Web 1.0 and 2.0

Common Web 2.0 Vulnerabilities

Cross Site Scripting Cross Site Request Forgery SQL Injection Authentication and Authorization Flaws Information Leakage Insecure Storage Insecure Communications

Some Web 2.0 Specific Vulnerabilities

On top of that list we do have some specific Web 2.0 vulnerabilities:

XSS

Worms Feed Injections Mashup and Widget Hacks

Cross Site Scripting (XSS)

XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. Non-Persistent Reflected

Persistent Stored
DOM Based

Cross Site Request Forgery (CSRF)

A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable web application, which then forces the victims browser to perform a hostile action to the benefit of the attacker.

SQL Injection

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application

Authentication and Authorization Flaws

These flaws can lead to the hijacking of user or accounts, privilege escalation, undermine authorization and accountability controls, and cause privacy violations.

Insecure Storage and Communications

These flaws could allow sensitive data to be stolen if the appropriate strong protections arent in place.

Insecure Storage and Communications

Insecure storage of data

Not encrypting sensitive data Hard coding of keys and/or insecurely storing keys Using broken protection mechanisms (i.e. DES) Failing to rotate and manage encryption keys
Not encrypting sensitive data in transit Only using SSL/TLS for the initial logon request Failing to protect keys whilst in transit Emailing clear text passwords

Insecure communications

Insecure Storage and Communications

What makes this worse in Web 2.0?

More

data in more places, including client side storage Mixing secure and insecure content on a page

Security analysis difficulties with Web 2.0

More code and complexity in Web 2.0 apps Security analysis difficulties with Web 2.0
At

least two languages to analyze (client and server) User supplied code might never be reviewed Dynamic nature increases risk of missing flaws Increased amount of input points

How can you prevent these vulnerabilities?

Follow a small, repeatable set of principles

Try

not to focus on specific vulnerabilities Develop securely, not to prevent hot vuln of the day Build security into the code, dont try to bolt it on at the end

The Secure Development Principles

Input Validation

XSS, * Injection XSS, * Injection, Encoding issues Information Leakage Weak Access Control, Insufficient A+A, CSRF Timeouts, Strong Session IDs, CSRF

Output Validation

Error Handling

Authentication and Authorization

Session Management

Secure Communications

Strong Protection in Transit

Strong Protection when Stored Restrict Access to Sensitive Resources, Admin Pages, File Systems

Secure Storage

Secure Resource Access

Conclusion

Web 2.0 hard to define, but very far from just hype
Openness allows communities to assemble unique tailored applications We can all benefit by adopting Web 2.0 principles of openness and sharing.

Because

of web as platform there is huge potential for new kinds of web applications