Are we about to face the next Super Worm?
In recent years, malware attacks have been targeted and mass worms have been quiet. The days of blockbuster headlines about mass infections such as Slammer are long gone. Or are they? Are we about to face the next Super Worm?
The rapid evolution of “Web 2.0” has sparked the convergence of social networking on a massive scale and the adoption of new combinations of technologies that significantly increase the so-called ‘attack-surface’. This combination offers irresistible opportunities to organised crime.
About two years ago, organised criminals discovered around 70% of web applications harboured security flaws and began to switch from targeting operating systems weaknesses to those in the applications.
The web is now the preferred vector for malware. At the same time, the nature of the web has been transformed, through the phenomenon of social networking, and in a sense we have become the ‘we’ in ‘web’.
Under the traditional internet model, when a user clicks on a link, a web browser sends an HTTP Get request to a server. In return the server sends the requested web page to the client. If the client is to send information back to the server, another request is made following the same process.
This synchronous communication method involves the transfer of entire web pages. From the point of a page request, the user must wait and is unable to interact further with the browser until the entire page has been served.
The response time is reduced by the intermediary Ajax application exchanging small amounts of data between the browser and the server, without refreshing the entire page. This gives an impression of seamless interaction.
For example, Gmail, the web-based email service provided by Google, offers a search-oriented interface and a unique “conversation view” and is well-known for its use of the Ajax programming technique in its design.
Although Ajax can dramatically improve the performance of a web application, it also introduces new potential for attack. As Ajax applications reside on both the client and the server, they raise the following security issues:
- Exposure of a much increased attack-surface, as many more points of input are opened
- Exposure of the workings of internal functions of the Web server application
- Allowing a client-side script, with no built-in security mechanisms to access third-party resources
This leaves the web browser and users wide open to the threat of an Ajax Super-Worm.
As I mentioned above, Ajax applications extend across both client and server, unlike traditional web applications. This necessitates a trust relationship between client and server that may be exploited by an attacker.