[...]... environments that Web 2.0 brings to the Internet Web 2.0 s Impact on Security The security impact on Web 2.0 technologies includes all the issues on Web 1.0 as well an expansion of the same issues on new Web 2.0 frameworks Thus, Web 2.0 simply adds to the long list of security issues that may exist on web applications Cross-site scripting (XSS) is a very prevalent attack with Web 1.0 applications In Web 2.0, there... and offer solutions for Web 2.0 security risks This introduction will cover some basics on how Web 2.0 works, to help ensure that the chapters in the rest of the book are clear to all individuals What Is Web 2.0? Web 2.0 is an industry buzz word that gets thrown around quite often The term is often used for new web technology or comparison between products/services that extend from the initial web era... cross-domain functionality The following code shows an example of the flexibility from crossdomain.xml: In addition to the domain name, a wildcard can be used such as domain="*" (Many web developers are bypassing XHR security controls to add cross-domain functionality to their web applications.) Cross-domain... case study Another security impact in addition to worm propagation is the idea of cross-domain attacks Cross-domain attacks allow attackers to publish malicious content to web users without users’ knowledge or permission While XHR specifically prevents cross-domain xxi xxii Hacking Exposed Web 2.0 interaction, much to the developer’s dismay, there is some flexibility in certain Web 2.0 technologies For... the purposes of this book, Web 2.0 xix xx Hacking Exposed Web 2.0 addresses the new web technologies that are used to bring more interactivity to web applications, such as Google Maps and Live.com Technologies such as Asynchronous JavaScript XML (AJAX), Cascading Style Sheets (CSS), Flash, XML, advanced usage of existing JavaScript, Net, and ActiveX all fit under the Web 2.0 technology umbrella While... injection issues prevalent in Web 2.0, such as XPath and XXE (XML eXternal Entity) attacks XXE attacks attempt to exploit RSS document and feeds in web applications, a common theme in Web 2.0 Chapter 2 discusses Cross-Site Scripting (XSS), which has been around for a long while, but has evolved in Web 2.0 This chapter shows how to take the existing XSS attack class and apply it to Web 2.0 technologies, such... web technologies to give readers an understanding of the new attack classes on the web as well as the older attack classes with updated Web 2.0 content I ing ack Att 2.0 eb W This page intentionally left blank 1 on mm Co ion ect s Inj ack Att 3 4 Hacking Exposed Web 2.0 I njection attacks were around long before Web 2.0 existed, and they are still amazingly common to find This book would be incomplete... ActiveX Security 199 201 202 203 205 205 207 208 208 209 214 217 219 222 223 A Brief Look at the Flash Security Model Security Policy Reflection Attacks Security Policy Stored Attacks Attacking Flash Applications 224 225 226 xiii xiv Hacking Exposed Web 2.0 Flash Hacking Tools ... organizations accessible through the same web interface, and developers are deploying new technologies without understanding the security implications of them These issues have all impacted security in the online environment Introduction BOOK OVERVIEW The focus of this book is Web 2.0 application security As mentioned, many Web 1.0 attacks are carried over to the Web 2.0 world This book will show how this... Life Cycle (SDLC) Hence, consumers are left with amazing technologies that have security holes all over them This is not only true in Web 2.0, but other emerging technologies such as Voice Over IP (VoIP) or iSCSI storage This book covers Web 2.0 security issues from an attack and penetration perspective Attacks on Web 2.0 applications, protocols, and implementations are discussed, as well as the mitigations . web applications and VoIP security. Zane has spoken at top security conferences including BlackHat 20 06 / 20 07 and Toorcon. Additionally, he is a coauthor of Hacking Exposed: Web 2. 0 (McGraw-Hill).