Organisations need to understand and respond to the security issues which Web 2.0 technologies bring. Hacking attacks can, for instance, be prevented by ensuring that Web 2.0 code is developed securely. Gartner say[18] that organisations need to look at application development processes and ensure that security forms part of the Web application development process at the requirements gathering stage.
Ajax (Asynchronous JavaScript and Extensible Markup Language or XML) is a set of technologies which enable greater processing to be carried out on the client computer, rather than on the server. In the traditional Web application, the user clicked and then waited some number of seconds for the server to respond and refresh the page. In contrast, Ajax-enabled web pages are far more reactive, giving the user the appearance that pages are updating instantly. This is illustrated by the application ‘Google Maps’, where the page and map are refreshed instantly as the cursor is moved. Ajax is not a new technology, but rather a combination of existing technologies being used in a new way.
Ajax creates security vulnerabilities by creating an increased number of Ajax endpoints, Ajax bridges and Ajax frameworks.
In contrast to typical Web 1.0 applications, Ajax applications send a greater number of smaller requests to the server which, in turn, create many more points of input. The inputs are also referred to as Ajax endpoints. The greater number of endpoints provides greater opportunities for traffic to be attacked.
Figure 1. Figure depicting the trend in the increased number of calls to the web server from Web 1.0 to Web 2.0
Ajax bridges also create a security risk. Ajax bridges enable connections between Ajax and third party websites. An attack can occur through malicious requests from one site to another through an Ajax bridge. In addition, the traffic from one site to another may not be checked because it is thought to be trusted.
Furthermore, Ajax frameworks such as prototype conio.net or script.aculo.us, which can simplify development of Ajax applications, ‘do not address security issues in a rigorous manner’ according to Clearswift.
More technical and specific recommendations for preventing SQL injection attacks can be found on the Sophos and Microsoft web pages. Microsoft suggest the following[19]:
Use SQL Parameterised Queries
Use Stored Procedures
Use SQL Execute-only Permission.
Recommendations for preventing XSS attacks can also be found on www.SearchSecurity.com. SearchSecurity.com also provides a general guide for protection against Web application and hacking attacks, including safe coding guidance.
Google have also announced that they intend to introduce warnings for potentially hackable sites[20]. The aim of this is to alert website administrators[21] about vulnerabilities due to the outdated version of their Web applications, starting with Wordpress [22]. Google have also provided a ‘Safe Browsing Diagnostic’ page. Dancho Danchev from ZDNet has reported that this can provide key benefits for administrators of websites[23].
Users need to be protected from posting content to websites that is defamatory, libellous, offensive or threatening, that breaches confidentiality or that causes reputation damage. Website administrators need to consider not only protecting themselves from legal infringements, but also protecting users of websites from themselves. This means not just making a privacy policy available in the small text and thereby hoping to absolve the company of responsibility, but by creating appropriate field validation and putting timely and easy to read warning notes up for users.
Customers may post comments or photographs to a website which for legal reasons might later have to be removed; the following issues should therefore be considered as part of the overall compliance profile of the website:
There would need to be the facility to search for every single illegal contribution that a user had made on the website. It is a fairly common feature of Wiki software, for instance, to track comments made by a user, and as such it should be perfectly possible to delete all content from an individual user.
Websites must make it clear that they are not responsible for content (which includes any payload carried by that content) downloaded from the website to other websites. Website administrators need to make it clear that they do not accept comments which are libellous or defamatory, and ensure that users take responsibility for content that they post to a website. A good example is provided by the ‘comments policy’ posted on the ‘Economist’ website.
Kev Brace from JISC legal reports[24] suggests that website administrators should provide guides and protocols which ensure fairness for all users. JISC legal information service also suggests that user profiles can be set up to use the user’s name or an alias[25]. The advantage of using an alias is that this protects the actual name of the user[26] from exposure and compromise.
Websites need to have clear statements that they are unable to guarantee the deletion of anything posted to their website which for any reason a user later wants deleted.
The BSI PAS 78 Web Accessibility Standards have been developed by the former UK Disability Rights Commission (DRC) in collaboration with the UK British Standards Institute (BSI). This publicly available specification (PAS) outlines good practice in commissioning websites that are accessible to and usable by disabled people[27]. It is applicable to all public and private organisations that wish to observe good practice under the existing voluntary guidelines and the relevant legislation on this subject. It is intended for use by those responsible for commissioning public-facing websites and web-based services. It is relevant to all Web 2.0 sites, as these are designed with user participation in mind.
The areas that PAS78 covers include:
how disabled people use websites
defining the accessibility policy for the website
Web technologies
accessibility testing and maintenance
contracting Web design and accessibility auditing services.
It provides recommendations for:
the management of the process of, and guidance on, upholding existing W3C guidelines and specifications
involving disabled people in the development process and using the current software-based compliance testing tools that can assist with this.
In addition to the recommendations provided above, the UK has launched Internet good practice guidelines. Whilst these are not enforceable in law, they nevertheless provide recommendations for good practice. These recommendations have been endorsed by industrial sponsors which include AOL, Microsoft, O2, the BBC, MySpace, T Mobile, Vodafone, Google, Yahoo and Orange.
The UK launched the Good Practice Guidance for Providers of Social Networking and Other User Interactive Services in the House of Lords in April 2008[28]. The following sections describe the recommendations given.
General principles: Make safety information available during the registration process, prominent on the homepage and in appropriate places within the service (e.g. in a welcome e-mail/ message).
Include instructions for tools which can help protect the user to maintain their privacy and prevent unwanted contact or communication, such as:
‘Ignore’ functions;
removing people from their ‘friends’ or contact list; and
how to review and remove unwanted comments on their site.
Editorial responsibility: Ensure that advertising displayed on social networking services within the European Union is compliant with the Unfair Commercial Practices Directive. (www.berr.gov.uk/consumers/buyingselling/ucp/index.html)
Registration: Provide clear information about how details collected in registration will be used, including what information will appear on their profile, what will be public, and what will be private. Users should then be given the opportunity to hide, limit availability to, or edit this information.
Carefully consider the implications of automatically mapping across personal information disclosed during registration to the user’s profile. In this instance users should be informed of this process to afford them the opportunity to hide, limit availability to, or edit their personal information.
Capture an IP address or MSISDN or unique identifier (for mobile devices) with a date and time stamp at registration, regularly refreshed with repeated use of the service, including at each login, with a date and time stamp. This measure can improve the traceability of both registered and unregistered users (e.g. those leaving comments in a user’s guest book).
Set the default for full profiles to ‘private’ or to the user’s approved contact list for those registering under the age of 18. A setting to private should ensure that the full profile cannot be viewed or the user contacted except by ‘friends’ on their contact list unless they actively choose to change their settings to public or equivalent.
Prompt the user and require their consent before integrating or ‘scraping’ one or more existing address books, contact lists or ‘friends’ list (e.g. e-mail or IM). This should remain under user control, as a user may not necessarily wish for ‘friends’ approved in one service to also be ‘friends’ in a social networking service.
Consider reminding users to review their contact lists on a regular basis to ensure that their ‘profile’ is shared as they wish.
User profile and controls: Inform users in a prominent place what information they submit to their profile will be made public and what will be private. Users should be supported to understand the implications of the profile settings. For example, inclusion of a symbol (such as a lock or a key) may enable users to quickly identify the status of their personal details.
Inform users of the available options for how their profile or web page can be searched by others either on the site or through search engines. The option of a public profile on the site which is not searchable via search engines should be offered to all users.
Provide warnings to users about uploading photos to their profile. Provide advice to users about the implications of posting certain information – both from a safety and responsible use perspective. For example, the implications of posting or using:
personal data which may identify their home address, especially in open profiles;
images which contain location information, especially in open profiles;
images of other people without first obtaining their permission; and
inappropriate user names and images.
Inform users and make it as clear as possible what options users have to adjust privacy settings and to manage ‘who sees what’ and whom they interact with. For example, these settings could include features which allow users to select who can leave comments or post content on their pages. Consider making privacy settings available for all aspects of the service for such things as journals, blog entries, image galleries and guest books.
Filtering controls enable all traffic to be scanned for malware and illegal or inappropriate use of the website.
There are now filtering technologies available on a ‘Software as a service’ (Saas) basis.
Web filters can be used to discover, remove and terminate threats from spyware, adware and malware.
Web filtering can also be carried out according to ‘payload identification’. Payload, within the context of Web filtering, is the amount of damaging material contained within a packet of data. Identifying Web traffic and file payload provides the following benefits:
Organisations can set policies on individual files that are or are not allowed to be received or sent by users, and to where.
Organisations can set policies on file transfers depending on the direction in which they are traveling. This is particularly important for office-type documents being sent to WebMail sites.
Security controls are not fooled by false data types. One of the means by which malware and spyware can be downloaded is by masquerading as a different file type, one which is recognised as safe.
Content that breaches policy – such as that containing the word ‘confidential’, project names, credit card numbers, personally identifiable information, DRM tags, watermarks and so on – is easily identifiable.
Payload content analysis enables policies to be set on any traffic generated using files, blogs and IM between an individual browser and Web 2.0 applications.
The type of malware that makes it past the Web filtering gateway may be of the zero-day variety. These need to be tracked using behavioural or heuristics-based detection. This type of detection is based on analysing data behaviour that is abnormal and probability analysis, rather than tracking known vulnerabilities.
[18] Strategies to protect your web applications and your organisation, John Pescatore, Gartner, IT Briefing centre webcast.
[19] Giving SQL Injection the Respect it Deserves, Microsoft (2008). http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx
[20] Message Center warnings for hackable sites, Google (16 October 2008). http://googlewebmastercentral.blogspot.com/2008/10/message-center-warnings-for-hackable.html
[21] Throughout this report the term website administrator has been used to refer to the administrator or operator responsible for the administration of the website.
[22] Google to introduce warnings for potentially hackable sites, ZDnet (22 October 2008). http://blogs.zdnet.com/security/?p=2055&tag=nl.e589
[23] Google introducing Safe Browsing diagnostic to help owners of compromised sites, ZDnet (22 May 2008). http://blogs.zdnet.com/security/?p=1170
[24] Legally web 2.0, Kev Brace (21 October 2008) http://kev-brace.blogspot.com/2008/10/legally-web20.html
[25] Web 2.0 Services, JISC Legal – Data Protection (2008). http://www.jisclegal.ac.uk/publications/DPACodeofPractice.htm#_Toc197501973
[26] Web 2.0 Services, JISC Legal – Data Protection. http://www.jisclegal.ac.uk/publications/DPACodeofPractice.htm#_Toc197501973
[27] PAS 78@ 2006, Guide to good practice in commissioning, British Standards Institute (2006). http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030129227
[28] Good practice guidance for the providers of social networking and other user interactive services 2008. http://police.homeoffice.gov.uk/publications/operational-policing/social-networking-guidance