HOME BUILDER
JAMES HEIN
We have spent a lot of time over the past weeks talking about Web 2.0 concepts and technologies. It is time to pause for a moment and consider where the industry is now as far as this subject is concerned.
Some people are concerned that with the growth of Web 2.0 implementations comes the risk of people taking your applications, finding ways to get at your data and getting information on your user community. In some recent comments from Microsoft and HP the greater risk at the moment is from what they call "premature AJAXulation".
This condition is exemplified by a quick fix or update to your existing systems and sites to turn what you have into AJAX wonders overnight. It is the rush to the technology and the quick fixes that bring the most problems. Proper implementation, of any system changes, requires careful thought and planning. The architectures need to be correct to minimise the risk of attack.
While some people focus on the new Web 2.0 attacks they forget that Web 1.0 attacks will also work against Web 2.0 applications that have not been protected e.g. a SQL injection attack will work just as well against Web 2.0 as Web 1.0.
The industry is now facing the "used car" approach, where people claim to be able to Web 2.0-ify you existing applications in a very short time by "adding a wrapper." Some have suggested a physical response when someone says this. As an example of this the authors of the recent book AJAX Security give a real example of code, five lines of it and ask people to count the vulnerabilities.
The result? Seven of them, including the above mentioned SQL injection, cross-site scripting, denial of service, a logic bomb, request forgery and privacy escalation. The problem is that the server app is divided up and put on the client hoping that they will not call any out of order. It adds complexity, makes testing more difficult and makes it harder to catch the security issues.
The same book, from Addison Wesley, shows a simple auctioning system service they found that was built with commonly recommended tools which they then scan and hack using Firebug and some other standard tools. Using these tools they could call the APIs out of order so their price would automatically be accepted without needing to go through the bidding service. They also managed to make a booking without ever paying and some other tricks. It is worth reading through this if you can get hold of a copy.
Attacks like the good old denial of service (DoS) are still an issue with Web 2.0. They still affect Microsoft, Google and the other big players in the arena. They may not bring the site down but they can still block access. If your page calls the functions of other pages through JavaScript then a hacker will be able to find what are supposed to be hidden pages and perhaps the Admin site. If you can get access to here then you don't need passwords because Admin functions may be exposed as simple JavaScript calls.
If as an organisation or even a single site writer you are planning to move your site to AJAX then remember the old saying "there is no silver bullet." You can't just make a few quick changes and sit back expecting to have a brand new Web 2.0 version of your site that is error free and hacker safe. Anyone who tells you otherwise will be lying to you and out for a quick profit at your expense.
Instead look at your existing architecture and where you want to go. Plan you transformation as a series of steps that ensure the result works, really follows the Web 2.0 paradigm and considers what steps need to be taken to protect your web pages, your data and you Administrator access. You also need to remember that by just converting a Web 1.0 system to an AJAX code bases does not make it Web 2.0, it is not just a coding change it is a different way of looking at what you are doing.
Email: jclhein@gmail.com.
Prev
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Next
