Subscribe to Feed Subscribe by Email

Are you hiring? Target top talent on our CM Job Board.

The Vulnerability of Web 2.0 Technologies

Web 2.0 technologies are fraught with vulnerabilities. Seventy-one percent of all security vulnerabilities were attributed to both open source and commercial Web applications, according to a report by security firm Cenzic Inc., “Application Security Trend Report for Q4 2007.”

But before you freak out, let’s put this in perspective. Cenzic is a security firm, which offers many products, which boast “complete web application security vulnerability management, and security enforcement assessment software.” With software like that to sell, their report surely isn’t going to tell you that Web apps are safe and secure.

This is fine, because as we all know they are not. So let’s take a look at their findings.

• Applications written in PHP comprise roughly 30 percent of all vulnerabilities.
• Roughly 70 percent of the reported vulnerabilities are easily or trivially exploitable.
• Vulnerabilities in Web server or Web application server technologies comprised around 10 percent of the total reported Web application vulnerabilities.
• Vulnerabilities in Web browsers comprised roughly 5 percent of the total reported application vulnerabilities — down three percent from Q3 2007.

The report also focused on the Web application hacking techniques, which subsequently showed “a continuing sophistication” among hackers to “exploit client-side security issues”. While many of these attacks used malicious code embedded within compromised Web applications, JavaScript hacking techniques emerged as well.

From its research, Cenzic selected the Top Five Web hacking trends of 2007:

• Javascript Trickery: Hiding, Anti-Pinning, and Mutating
• Universal XSS in Adobe Acrobat Reader
• Mass-SQL Injection Worm
• Google Gadgets, and Gmail Hacks
• ORKUT XSS Worm

Ultimately, after analyzing vulnerabilities across high-level categories, web browser, probe and attack data by incident, category and sector and attacker motivation, Cenzic summarized that:

“Despite the growing importance that many organizations place on protecting confidential user data, architectural and design flaws, as well as insecure application configurations are still common culprits in the exposure of sensitive user information.”

It’s hardly revolutionary to suggest that with any new technology there will be vulnerabilities. It’s unsettling, but not unexpected. It’s a lesson in due diligence and in keeping up-to-date with the latest releases and news.

Like other crucial elements to the user experience, the security of your web applications is not one to let fall by the way-side.

Comments