My Web 2.0 Top Security Threats List
I have written for the Open Group's Secure Enterprise 2.0 group a white paper about Web 2.0 security threats.
Discussing Web 2.0 security is difficult as Web 2.0 itself is somewhat blurry term. Most discussion on Web 2.0 security tends to be on the technical level, however Web 2.0 is not a technology, but rather a concept. When researching the issue, I was surprised to find out that Tim Barnes-Lee's, the Web conceiver views the original web as the 1st Web 2.0 implementation. After considering this, I tend to agree. Wikis are for sure a Web 2.0 application and they exist since 1994.
I tried to offer a non-technology driven analysis of Web 2.0 security, and stated by defining what Web 2.0 is. I came up with the following attributed of Web 2.0 which are relevant for analyzing the security threat:
- User Generated Content
- Mashups and Web Services.
- Consumer and enterprise worlds convergence.
- Diversity of client software
- Complexity and asynchronous operation.
Based on this I came up with my list of top Web 2.0 security threats:
- Insufficient Authentication Controls
- Cross Site Scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Information Leakage
- Injection Flaws
- Information Integrity
- Insufficient Anti-automation
While the list includes some common web vulnerabilities such as XSS, Injections and CSRF. It highlights some new threats that are harder to mitigate and may fall into the realm of logic issues such as insufficient authentication and anti-automation. To top that, the abstract nature of Web 2.0 makes something like phishing, not usually associated with web applications into a Web 2.0 problem.
More details, exploit scenarios and real world examples in the full document.