News: Web is dangerous

VoIP is scary, if you rememeber. Now, there’s something else that is scary: WWW, the World-Wide Web. And thanks to Tim O’Reilly and his invention of Web 2.0, it’s scarier than ever.

As in: there’s much more to FUD about. Here’s a perfect example: Web 2.0 Threats and Risks for Financial Services (by Shreeraj Shah). It’s full of dung, as pretty much any other FUD. But being targeted at the financial industry (people with your money) it excels at that. Let’s analyse:

The financial industry estimates that 95% of information exists in non-RSS formats and could become a key strategic advantage if it can be converted into RSS format.

RSS is just a way of delivering dynamic content (not quite a format), and not much of financial information really can use RSS. Market news (think of Reuters and Bloomberg services) and that is pretty much all. And the model is simple: authenticate and deliver content securely. RSS has no security implications here. And where the figure of 95% came from?

Ajax, Flash (RIA) and Web Services deployment is critical for Web 2.0 applications. Financial services are putting these technologies in place; most without adequate threat assessment exercises.

Of all corporations, financial industry is one of the most conservative. Every technology that is used undergoes rigorous assessment. And adequate (to the organisation’s risk management and regulatory requirements) security is one of the top priorities there. The process of the evaluation may not be the most efficient, but that’s a different issue – nothing to do with Web. Besides, Flash belongs more to entertainment industry: it’s neither critical nor required by financial institutions for business-critical applications.

In the last few months, several cross-site scripting attacks have been observed, where malicious JavaScript code from a particular Web site gets executed on the victim’s browser thereby compromising information on the victim’s system. Poorly written Ajax routines can be exploited in financial systems. Ajax uses DOM manipulation and JavaScript to leverage a browser’s interface. It is possible to exploit document.write and eval() calls to execute malicious code in the current browser context. This can lead to identity theft by compromising cookies. Browser session exploitation is becoming popular with worms and viruses too. Infected sessions in financial services can be a major threat. The attacker is only required to craft a malicious link to coax unsuspecting users to visit a certain page from their Web browsers. This vulnerability existed in traditional applications as well but AJAX has added a new dimension to it.

AJAX doesn’t add any new dimension to the XSS attacks: both the attack techniques and the ways to prevent cross-site scripting haven’t changed.

One of the key elements of Web 2.0 application is its flexibility to talk with several data sources from a single application or page. This is a great feature but from a security perspective, it can be deadly.

And may be not. The decision to use multiple data sources is driven by functional requirements. And it can be well-secured.

Web 2.0 based financial applications use Ajax routines to do a lot of work on the client-side, such as client-side validation for data types, content-checking, date fields, etc. Normally client-side checks must be backed up by server-side checks as well. Most developers fail to do so; their reasoning being the assumption that validation is taken care of in Ajax routines.

At this point, an example is necessary. Abstract applications and developers aren’t good enough. In the past couple of years the developers actually have learnt server-side data validation and more often use it than not. And the risk is of stupid developer, not of AJAX – if anything, AJAX is raising the bar for developers.

Web Services are picking up in the financial services sector and are becoming part of trading and banking applications. Service-oriented architecture is a key component of Web 2.0 applications. WSDL (Web Services Definition Language) is an interface to Web services. This file provides sensitive information about technologies, exposed methods, invocation patterns, etc. that can aid in defining exploitation methods. Unnecessary functions or methods kept open can spell potential disaster for Web services. Web Services must follow WS-security standards to counter the threat of information leakage from the WSDL file. WSDL enumeration helps attacker to build an exploit. Web Services WSDL file access to unauthorized users can lead to private data access.

Mr. Shah seriously suggests that security though obscurity is essential. That’s rubbish.

A lot more analysis needs to be done before financial applications can be integrated with their core businesses using Web 2.0.

If we need analysis, that must be nothing like Mr. Shah’s.

Leave a Reply

Your email address will not be published. Required fields are marked *