Skip to content

Advancing Web 2.0 by Kicking It in the Teeth

Like most approaches to automated anything, as “Web 2.0” advances, it gets lazy. And as users adopt Web 2.0 “styles” of publishing, they assume the risk associated with that “laziness“. All growth markets suffer periodic “corrections”, but in the case of web publishing and security, a correction can be more like a Kick In The Teeth than a helpful reminder because it comes from security breeches and hacks and attacks. Is Web 2.0 about to get kicked? Take a look at this talk on the agenda for the current Black Hat security conference:

DAjax, Web Services and Rich Internet (Flash) are redefining application security scanning challenges and strategies. We are witnessing some emerging attack vectors like Cross Site Scripting with JSON, Cross Site Request Forgery with XML, WSDL scanning, XPATH injection with XML streams etc. This presentation will cover Web 2.0 attacks, new scanning tools for assessment and approaches for Web 2.0 code analysis with demonstrations. Professionals can apply knowledge in real life to secure Web 2.0 application layer.

This presentation will focus on core Web 2.0 security issues along with assessment toolkit developed by the presenter. 1.) It is imperative to analyze Web 2.0 application architecture with security standpoint. We will evaluate real life vulnerabilities with Google, MySpace and Yahoo. 2.) Web 2.0 technology fingerprinting is very critical step to determine application security posture. 3.) Crawling Ajax driven application is biggest challenge and we will cover approaches to address this critical issue by dynamic DOM event management with Ruby. 4.) Scanning Web 2.0 application for security holes is an emerging issue. It needs lot of JavaScript analysis with DOM context to discover XSS and XSRF vulnerabilities in Ajax and Flash with new attack vectors hidden in payload structures like JSON, XML, JS-Arrays etc. 5.) Addressing assessment methods and tools to discover security lapses for SOAP, REST and XML-RPC based Web Services along with innovative fuzzing.


  1. Dan Perry wrote:

    So, I’m thinking… cool.

    No, not cool.

    Guess it depends on you business.

    Monday, February 18, 2008 at 3:13 pm | Permalink
  2. Any vulnerabilities found affect us all as a whole online, regardless of what hat you wear. I am interested to see your update on this topic in the future. Knowledge is power, and those who don’t place their attention on these subjects or loopholes are only contributing to the problem (the old if I don’t see it, it doesn’t exist mentality). I am sure they will have some dandy workarounds and patches after this conference that could serve anyone interested in protecting their data as much others who wish to exploit it.

    Sunday, February 24, 2008 at 10:37 am | Permalink