Q&A: What to Do About Web 2(.0)

Everyone's talking about Web 2.0 security. But what can you really do about it? In an exclusive interview, Amichai Shulman, co-founder and CTO of Imperva and one of the Web's most widely-recognized security researchers, spoke with Dark Reading senior editor Kelly Jackson Higgins about the emerging risks in Web 2.0, and how organizations can protect themselves.

Figure 1: Amichai Shulman, co-founder and CTO, Imperva

DR: In the spirit of Web 2.0 security education, let's define the term "Web 2.0," which seems to be a moving target sometimes. How do you define these types of applications?

Shulman: We've [Imperva's Application Defense Center research group] identified three major Web 2.0 terms. The first is rich interface applications, which everyone calls Ajax, but there are other technologies involved in this... sometimes flash, etc. These make Web apps more user-friendly and GUI-oriented, so there's less clicking.

The second is RSS, which is now evolving into mashups, and all this stuff. The third area is user participation -- the server-side technology, and a behavior where users build up the content and destruction of Web apps, like YouTube, MySpace, LinkedIn, etc.

DR: Where among these types of Web 2.0 apps have you witnessed security threat activity?

Shulman: We've seen Ajax-enriched and user-participation type applications [targeted]. There have been some threats to mashups, but those are more client-side related threats, not in the scope of Web apps security. With a lot of application logic moving toward clients, the line between the client and server side is blurring... We're seeing all types of threats coming back in.

DR: What's the nature of the security problem with the Web 2.0 model?

Shulman: Things related to bad session management, given that access control is on the client side rather than at the server side. The same old threats here are coming back, and are stronger, because programmers are putting security logic on the client side and leaving the server vulnerable. This is a larger attack surface.

Because this type of app is composed of much smaller modules, each having a specific function, it needs to be secured, and the probability of having an unsecured module rises... And with Ajax, an administrator doesn't see the URL generated by your client app. Everything happens behind the scenes... It becomes really hard to understand the logic and structure you have to protect.

It's not that Web 2.0 is introducing new vulnerabilities, but making app security harder to implement.

DR: So what specific vulnerabilities can these applications have?

Shulman: We're seeing more session management issues... An unauthenticated client can join the access-protected areas of the server. Forceful browsing to bypass authentication is probably the most common of the [session management-type] attacks.

Basically, the attackers are subverting the application logic but not following the flow as was intended by the programmers. SQL injection is big, as is parameter-tampering. Other types of threats are cross-site scripting [XSS], cross-site request forgery [CSRF]. XSS happens when the client-side logic regards information from the server as something that should be executed... While XSS existed before Ajax apps, it has become more common with them. The same goes for user-participation type apps. The more users affect the content of the site and are able to put JavaScript into the site, the more mobile code can be executed on the client side.

DR: What recent attacks best illustrate the Web 2.0 security threat?

Shulman: The most famous incident was the Samy worm in MySpace. And there was a Gmail XSS and CRSF vulnerability that abused some Google capabilities.

DR: What technologies today can help protect organizations from Web 2.0-based attacks?

Shulman: For the past two years, the way to protect Web apps has been with Web app firewalls. But can they handle the threat scenarios of Web 2.0?

DR: Not all WAFs are equipped for this. What features do they need?

Shulman: They [need to] mitigate session management, parameter-tampering, cookie-tampering, which our products do. We [Imperva] also have a strong XSS and CSRF engine, and a profiling engine, so you don't have to know your app in order to protect it.

DR: Should end users be taking some of the responsibility for security with these apps?

Shulman: I don't believe in user education. I spent my first few years [in this industry] trying to educate users in the military on security... That should be easier, but it never worked. There's not much you can do with user education.

DR: What are some best practices you recommend for mitigating Web 2.0 attacks?

Shulman: This should be a high priority for anyone launching Web-based apps in the next two years.

Always have your security logic on the server. Sanitize user input prior to use. Augment your internal application security with an external Web application firewall.

Input sanitation is probably the most prominent of all. That is, remove from user input any characters that are not expected per that specific input. But although this is a key mitigation technique, it is hard to implement in real-world applications, where you have thousands of input fields with different characteristics.

Another key mitigation technique is proper session management using session cookies with a random value.

I think application owners need to be sure apps are safe, and not vulnerable to XSS and CSRF and that they have proper session management. They can do this by building better apps, which is hard, or by using Web application firewalls.

And 50 percent of the solution is understanding the problem.

Imperva tomorrow will announce a free March 14 Webinar on best practices for Web 2.0 applications, plus a free White Paper that spells out the specific vulnerabilities and how to prevent falling victim to them.

— Kelly Jackson Higgins, Senior Editor, Dark Reading