SECURITY

	Contents
	Scale, by Thomas Claburn
	Content Management, by Thomas Claburn
	Security, by Charles Babcock
	Lightweight Development, by Charles Babcock
	The User Experience, by Aaron Ricadela
	Communities, by Aaron Ricadela
	Interactive Timeline: A Brief History Of Web 2.0

One thing is clear about Web 2.0: It isn't much safer than the first go-round.

As companies upgrade their Web sites with the latest interactive technologies, they'll find the sites offer both a greater opportunity to attract and retain users and pose a greater danger of security breaches inside the firewall. Ajax, with its use of JavaScript, lets a writer create programs that automatically execute when loaded into a visitor's browser window. JavaScript is just the most prominent of browser-ready scripting languages that can launch malicious code back toward a server. Others include Microsoft Visual Basic and Microsoft's answer to JavaScript based on the ECMASript standard.They also include Adobe's ActiveScript, another ECMAScript look-alike, which runs in the browser window on the ubiquitous Flash player, already installed on 98% to 99% of Internet clients.

Asynchronous JavaScript, which is part of Ajax, is what powers Google Maps, tracking the user's cursor on a map grid and sending the information back to an Internet server. In effect, the JavaScript program is telling the server, "He's moving north. Send more map data on what's north of his present location."

Such interactive features are an ongoing threat because they contain hazards that can be minimized but not eliminated. And just minimizing them takes discipline by developers who may not have the experience to know when they're getting into trouble. Ajax applications can run lots of scripted code on the server side and in browsers, opening vulnerabilities hackers can exploit in the databases with which the apps communicate.

Even disciplined developers can fall prey. A year ago, social networking site MySpace hosted a new profile by a user called Samy. Included in his posting was a hidden JavaScript worm that would infect the browser of any MySpace user who came to Samy's profile and replicate itself in that user's profile. In one sense, the result was merely playful: Samy's goal was to post the line "Samy is my hero" in the "Heroes" section of as many MySpace users as possible.

(click image for larger view) Does this MySpace profile contain a JavaScript worm?

But the infection spread quickly. Within 20 hours, the JavaScript worm had infected a million MySpace users. As it continued to build, the artificial traffic being generated by the worm's actions brought MySpace servers to their knees. MySpace has declined to comment, but it was reported on Slashdot that the company had to shut down its site temporarily to get rid of the infection.

That's one example of why Web 2.0 developers must think about security from the beginning. A big danger of Web 2.0 technologies is when they call for users to put responses into forms or data fields. Developers may seek a particular response, such as a name or a ZIP code, but too few Web sites carefully validate the input. "At the client, there's no control over what gets actually input. It's all under the user's control," says Bryan Sullivan, development manager for SPI Dynamics, a security software company.

David Wagner, assistant professor of computer science at the University of California at Berkeley, warns that there are 1,001 ways to hide JavaScript in an HTML page, in a wiki, or on a MySpace or Yahoo Mail type of site. "If you caught 1,000 of them, you're still out of luck," Wagner says. "The bad guys have the advantage." Yahoo's Web mail servers were invaded by the Yamanner worm that a user uploaded last spring.

If a knowledgeable user types a SQL statement into an address field, that statement will execute against an available database back on the server, a maneuver known as SQL injection. If a MySpace user loads his personal page on the MySpace Web server with a JavaScript worm, that worm will execute in the browser window of visitors who inspect his content. MySpace has taken steps to block a repeat of the Samy worm, but malware writers undoubtedly will try something different next time.

Unlike worms that preceded it, the Samy worm wasn't limited to one operating system. It was a cross-platform worm, like Ajax on the Web, and it could be launched by Apple Macs, Linux workstations, or Windows PCs. It was silent, captured user information, and gave no warning that the user was being infected and would infect others. Warns Sullivan, "Imagine an Ajax worm on a bank site."

-- Charles Babcock