Web 2.0
Gartner指企業須注意Web 2.0帶來之內憂外患
在傳媒及博客一致唱好Web 2.0的情況下,資訊科技及通訊業研究權威Gartner提醒一眾企業須注意Web 2.0所帶來的重大資訊安全隱患。不過,Gartner亦指出,企業只要盡早評估及採取合適的保安措施,以及為支援Web 2.0打好基礎,這些風險是可以管理的。
Gartner副總裁及資深分析員Joseph Feiman指出,大部分Web 2.0技術已存在好一段日子,但許多相關概念卻與傳統資訊科技保安措施背道而馳。他表示:「員工使用及參與這些網上服務及社群,正逼使企業重新審視其無放策略,以及放開向來緊守的保安控制權。」
繼續閱讀 »Web2.0用戶端元件弱點掃描(一)
一、介紹
Web2.0 是幾項技術的綜合應用的結果,這些技術有:AJAX(Asynchronous JavaScript and XML)、Flash、JSON(JavaScript Object Notation)、SOAP(Simple Object Access Protocol)和REST(Representational State Transfer)等。這些技術加上跨網域的資訊存取(Cross-Site Access)。它們共同支援了Web2.0這項複雜的應用。隨著Web2.0應用的逐漸廣泛,有目共睹的變化是終端用戶瀏覽器的功能逐漸強大。
這些變化給傳統掃描工具和資訊安全研究人員帶來了新的挑戰。這篇文章的目標是研究以下內容:
(1)新一代Web應用中掃描的複雜性和挑戰;
(2)Web2.0客戶端掃描對象和方法;
(3)Web2.0漏洞檢測(RSS feeds中的跨網站腳本攻擊);
WEB 2.0 Hacking – Defending Ajax and Web Services
WEB 2.0 technologies for the Web application layer are still evolving. This framework consists of Web services, AJAX and SOAP/XML and while still evolving has thrown up new attack vectors. To combat the attacks one needs to understand the new methodology, tools and strategies. Steadily emerging as the first line of defense is the Web application firewall. This presentation reveals emerging security threats, some of which will be demonstrated.
Objectives:
* Logical evolution of Web applications has reached a new level with the introduction of WEB 2.0. WEB 2.0 is the combination of new technologies like Web services, AJAX and SOAP. It is important to understand this framework and the fundamentals, before looking at security threats.
SessionSafe: Implementing XSS Immune Session Handling
With the growing trend towards the use of web applications the danger posed by cross site scripting vulnerabilities gains severity. The most serious threats resulting from cross site scripting vulnerabilities are session hijacking attacks: Exploits that steal or fraudulently use the victim’s identity. In this paper we classify currently known attack methods to enable the development of countermeasures against this threat. By close examination of the resulting attack classes, we identify the web application’s characteristics which are responsible for enabling the single attack methods: The availability of session tokens via JavaScript, the pre-knowledge of the application’s URLs and the implicit trust relationship between webpages of same origin.
繼續閱讀 »