[unisog] WEB2.0 Security Issues

Edgecombe, Jason jwedgeco at uncc.edu
Thu Jan 25 13:39:27 GMT 2007

I third the notion that Web 2.0 has all of the old bugs from Web 1.0.

While this can be called Web 2.0 or not, there is a strong push for more
client-side scripting. Specifically this is Javascript and all of
acronyms that go a long with it like AJAX. I expect there to be similar
threats as the core libraries are fleshed out and experience is gained
for using client-side scripting properly.

In other words, I expect history to repeat itself. I think that most of
the bugs that hit traditional apps will hit Web 2.0 apps. It's a
double-whammy now that you have both an untrusted client and the server
side to worry about.

>From the anti-phishing perspective, thanks to AJAX, you don't have to
click submit for a bad guy to get what you've typed into a malicious web
form. It's no longer "think before you press submit", it's "think before
you even type".


Jason Edgecombe
Solaris & Linux Administrator
Mosaic Computing Group, College of Engineering
Phone: (704) 687-3514

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of
Valdis.Kletnieks at vt.edu
Sent: Wednesday, January 24, 2007 3:32 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] WEB2.0 Security Issues

On Wed, 24 Jan 2007 21:51:06 +0200, avi shvartz said:
> What I am missing is a reference to security & privacy issues related
> WEB2.0.

All the same ones that Web 0.99 had.

Since "Web 2.0" is more a buzzword than an actual protocol or design
methodology, you can't point to anything the way you can (for instance)
point at "privacy issues of HTTP Cookies" or "Things to worry about when
collecting personal data on a website that uses LAMP".

If there's a *specific* concept that's more specific than "now
with web 2.0", feel free to raise it and we'll discuss it.

> I would like to hear opinions what are the new security & privacy
> that WEB2.0 

Only thing that comes to mind is "fraud against VC investors who didn't
their lesson in the dot-bomb bubble collapse".

More information about the unisog mailing list