University of Zagreb

Central European Conference on Information and

Intelligent Systems 2009
1 Introduction

2 WEB 2.0

3 Vulnerabilities of web 2.0 services

4 Methods of protection,detection and reaction

There is no definition of Web 2.0. Appeared in 2004, as a logical
continuation of web (1.0), and it was promoted by the O'Reilly
Media Group and Media Live International

It introduced interactivity of users with services &

exchange and active communication of the web content
Unlike standard PC platforms, this platform is the Internet
(Intranet) itself
Users run application on internet (or intranet) using Internet
browser. There are many examples of its use: from
business applications
e-government
entertainment
e-education (e-learning)
to
e-tourism and e-industry
 !"

RIA - Rich Internet Application

web based applications that were created and designed to have all the
functionality of desktop application
the process of executing is divided into user part on client side
and malipulation with data on the side of app.server
This application runs inside browser and do not require any additional
software instaled. Only restriction can be plug-ins integrated in browser.
AJAX – Asynchronous JavaScript and XML
it´ s technology, not programming language
ajax uses web app.to receive data from server “asynchronous” or
“intermittenet” in background.
example – “google maps”....
between HTML and servers AJAX uses a JavaScript.
js calls the server, acquires data,changes and manipulates data, without
need users to “refresh”, “reload” – F5.
 #$ %

Almost all prominent universities and institutions of higher education

in the world have greatly developed their e-platforms.
Behind these platforms there are usually hidden Web 2.0 services such
as: "moodle", "weblog", "wikipedia”,“forums, "chats“, or even "youtube"
and "podcasting" services. Some of the key features and technologies
include AJAX, RSS, mashups, site maps, etc.
There are several main problems in development of Web 2.0
applications:
The most important thing is "never believe a client and what he or
she submits in the application”.Reason is simple, after input
developer have no control over data, that came back from client
browser, and dont know what happend with code. JS can be easely
changed by the hacker and hacker can take data from server.
The second problem is "mashups".It is the model that "mixes" and
combines data and services from several different sites and
displays them on the user's browser as a new service.
Some (all) influential portal owners (including google) allow ther API
(application programming interface) to be used throught gateway on
other web sites.... That is how “mashup” function.
There is a security problem with “unwanted” and “unknown” data
flow
 & # ' (

Most frequent attack during 2006,2007,2008

SQL injection

XSS (Cross site scripting)

XSRF/CSRF (cross site request forgery)

& # ' %

*! !
"! !
++

!
73% of all reported and discovered vulnerability belongs to
web tecnology !!!

"#$
%""
&"'() !
 )*+ ,

www.some-target-site.com
SQL Injection is a great potentioal
danger.
This king of attack uses a SQL
sequences from SQL. A Simple
SQL statement can give a data
from database to an attacker. There
is simple reason for that.
Application is made in a way that it
some' OR 1=1 -- does not validate input prior
some' OR 1=1 -- processing. SQL I can performed
from address bar, search form or
login form...

www.some-target-site.com/index.asp?id=some’ OR 1=1--
SELECT * FROM users WHERE
username= some ‘ OR
1=1--AND password=some’ OR 1=1-- SQL
 )) -
http://www.some-real-site.com
. /
XSS is like SQL i associated with the
unwanted data flow. Attacker insert
a malicious code into the existing,
dinamicly generated web pages.
When a uneducated user click on the page,
malware is executed on the computer.
www.hackers-site.com Hacker can take control over computer/system
http://www.some-target-site.com/search.php?text=
<script> document.location("http://hackrs-site.com/phishing_login.php")
</script>
JS or VB Script
 )!01 )!02- ' # /

CSRF Host

CSRF- “Cross site request forgery”

is a type of attack where an
attacker uses “vulnerability of the
web sites that belive its users or

”
hp
www.hackers-site.com client”. CSRF uses “betray the trust

.p
that a website has in its users”.

ut
http://www.webmailserver.com

go
UnliKe XSS, CSRF does not

/lo
Open connection

e.c et
required (but can be) malicious
om
s i t a rg
script to be injected into trusted
er o T

page, user need just visit a

ck t t
s-
ha es

malicious web site.

:// qu
Login

ttp Re
“h h
c = w it

JS or VB Script
g nse
<i spo
sr
Re
m
 & $ ) $

It is the term that describes a malicious code

that damages computers in every possible way.
The number of attacks on systems and malware
is increasingly growing and today every 15
seconds a new malicious web site is discovered
in the world.
Five new "scareware" web sites are identified
every day. U.S.A. it is one of the top countries
that “host malware” (37%). It is followed by
China with Hong Kong (27.7%) and Russia
(9.1%).
 & #.

S IS = Security of Information system

S IS = S PE ∪ S PH ∪ S LO

S PE - Personnel Security
Considering the fact that 73% of reported and discovered
recent "intrusions“ into the systems have been made by
S PH - Physical Security failures that happen in web technology and web applications,
this article emphasizes S (Personnel Security).
PE

S LO - Logical Security
& #.
The article tried to give specific instructions to developers,
administrators,final users and managers in order to increase the
number of steps that a malicious user has to pass to reach our
information system
The author also pointed out the things that we need to pay attention
to and gave some recommendations that could be used and
installed into the individual model of development and success of a
"safer" IS
Companies should definitely do the "update" of their documents
called "Security Policy" and "Principles of IS Security".
It is also recommended to do the detailed audit of all information
systems - "penetration testing“...
The most important thing in the whole process is implementation of
IS security measures and policies.

Only one exception or failure can be fatal to the whole system.

,- -. -