Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
New Ajax Attack Poses Threat To Web 2.0 Sites
April 4, 2007
4 Min Read
Widely popular Web sites using so-called Web 2.0 technology should take heed of a new attack aimed directly at them.
"The vulnerability is widespread," said Brian Chess, chief scientist and a founder of Fortify, in an interview. "If this goes unfixed, then this will be the same kind of problem we've had with buffer overflow. We've known about that for 30 years and we still don't have a handle on it."
While the vulnerability is widespread, the attacks aren't yet, Chess said. But he's sure they're taking place and he's also sure the problem will escalate.
"Historically speaking, the good guys are the last to know," he said. "This would be a record if the good guys were talking about it before the bad guys. And I don't think that is happening here."
Craig Schmugar, a threat researcher at McAfee, said Web 2.0 sites are putting themselves at risk. "Web 2.0 is growing at such a fast rate that security on many of these sites isn't a priority," he said in an interview. "It all comes up when they have to decide between securing the site and supporting functionality." Securing the site, he added, doesn't always win out.
Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, said the user-based content on many of the Web 2.0 sites also is contributing to the risk factor. On sites like MySpace, hackers could even create their own page and embed malicious code, or they could become a trusted "friend" to someone else, add a comment on their page, and embed the malicious code in it, he explained in an interview.
Schmugar agreed with Ullrich that sites often are enabling user-based content at the expense of security. "It's doing things the Web site shouldn't be allowed to do," he said. "It's breaking out of the trusted relationship. MySpace is an extreme example because all of the content is user created. You end up with these valid sites with malicious pages in them. You could go to a site you visit all the time and be hit with this."
You May Also Like
Edge Computing's value to IT
Integrations to automate your framework compliance: ISO 27001, SOC 2, and NIST CSF
10 Considerations to Building Hybrid Mesh Firewall
KVM SwitchÂ High Performance Applications with Dominion KX III
Solution Brief: Fortinet FortiFlex Delivers Usage-Based Security Licensing That Moves at the Speed of Digital Accelerationâ€‹