1 / 11

Web 2.0 security

Web 2.0 security. Kushal Karanjkar Under guidance of Prof. Richard Sinn. What is Web 2.0?. Second generation of world wide web. Transition on world wide web for computing platform, social networking sites, communication tools and other internet based services.

emile
Download Presentation

Web 2.0 security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn

  2. What is Web 2.0? • Second generation of world wide web. • Transition on world wide web for computing platform, social networking sites, communication tools and other internet based services. • Download and upload (distributed developer) • Simple, Interactive, attractive • Facebook, Wikipedia, MySpace, Ebay.

  3. Web 2.0 Architecture News Document RSS feeds email Internet BLOG SOAP,REST,XML-RPC HTTP/HTTPS Internet Ajax, Flash(RIA), HTML/CSS, JS, DOM Web Service | Ajax, Web Server SOA|SAAS , API Web Service Web Client Scripted web Engine Web Server Web Services Application server Database Web service Endpoint

  4. Web Security Threats • Cross-site scripting • XML Poisoning • Malicious Ajax Code Execution • RSS injection • Dynamic Code Obfuscation • WSDL Scanning and Enumeration • Client Side validation in AJAX routines • Web services routing • Parameter manipulation • XPATH injection in SOAP message

  5. Dynamic Code Obfuscation • Attack - code Obfuscation – Encryption Algorithm - Attacker places an encrypted code on user’s computer and destroys his data. - Difficult to detect actual(malicious) code, embedded in web page - Anti-viruses can not detect it. • Solution: De-obfuscation - Reverse engineering process in which the obfuscated code is decrypted to original code.

  6. Dynamic Code Obfuscation Network De-Obfuscator SECURED WEB SITE

  7. !! WARNING !! Demo Network De-Obfuscator

  8. Cross site scripting • Dynamic content • Input parameter from user – Display on same page • Malicious JavaScript code from a particular Web site gets executed on the victim’s browser WelCome to Web.com response.sendRedirect (“login.jsp?ErrorMessage (“invalid username”)”); Username Password response.sendRedirect (“login.jsp? ErrorMessage (){ </script>< form action=“WrongWeb.jsp” method =Post ><script> }; Submit Cancel New User SignUP!

  9. Detection: • Can be detected easily by many single-user detector firewall. • </Script pattern. • Suggested Solution: • Do not display JavaScript when it is not required. • Filter user input, whenever there seems to have chances of attack. • Encoded output based on the input coming from user.

  10. Conclusion • Web 2.0 is an emerging technology • Web Services such as AJAX,RIA have improved the overall effectiveness and efficiency of web applications. • Increased WEB 2.0 security awareness, secure coding practices and secure deployments offer the best defense against any attack.

  11. Reference [1] O’Reilly, T.(2005)What Is Web 2.0:Design Patterns and Business Models for the Next Generation of Software, O’Reilly publication (September 30,2005) [2] Dr. Cobb, M. (2007) Dynamic code obfuscation: New threat requires innovative defenses , Information Security Magazine (August 3, 2007). [3] Shah, S. (2006) Top 10 Web 2.0 attack vectors <http://net- square.com/whitepapers/Top10_Web2.0_AV.pdf > (October 4, 2006) [4] Shah,S.(2007) Hacking Web 2.0 - Defending Ajax and Web Services, HITB, Dubai <http://www.slideshare.net/shreeraj/hacking-web-20-defending-ajax-and-web-services-hitb-2007-dubai/> (April 5,2007). [5] Linder, P.(2002) Preventing Cross-site Scripting Attacks<http://www.perl.com/pub/a/2002/02/20/css.html> (February 20, 2002.)

More Related