[...]... shreeraj@blueinfy.com 1 Web 2.0 Introduction and Security In This Chapter Web 2.0 An Agent of Change Driving Factors for Web 2.0 and Its Impact on Security Path of Evolution: A Look Back in Time and a Peek Ahead Web 2.0: Technology Vectors and Architecture Web 2.0 Application Information Sources and Flow Real-Life Web 2.0 Application Examples Growing Web 2.0 Security Concerns Web 2.0 Real-Life Security Cases his... infrastructure Web 2.0 security concerns are growing, and they have a strategic impact on the application security space An overview of Web 2.0 technology layers includes client, protocol, structures, and server It is imperative to understand the working of Ajax and RIA components in the Web browser Understanding of XML-RPC, SOAP, and REST protocols with frameworks is critical for Web 2.0 security These... (CSRF) exploitation Web 2.0 Security: Defending Ajax, RIA, and SOA covers the new field of Web 2.0 security Written for security professionals and developers, the book explores Web 2.0 hacking methods and helps in enhancing next-generation security controls for better application security Readers will gain knowledge in advanced footprinting and discovery techniques; Web 2.0 scanning and vulnerability... Server Layer his chapter will cover various Web 2.0 technologies and architecture in detail with examples We will overview Web 2.0 technology layers: client, protocol, structures, and server It is imperative to understand the working of Ajax and RIA components in the Web browser Understanding of XML-RPC, SOAP, and REST protocols with frameworks is critical for Web 2.0 security The chapter includes an introduction... some real-life Web 2.0 applications that offer a better perspective on overall infrastructure Web 2.0 security concerns are growing, and they have a strategic impact on the application security space Recently Web 2.0 security breaches were observed in the applications designed by popular portals such as MySpace, Yahoo, and Google T 1 2 Web 2.0 Security: Defending Ajax, RIA, and SOA W EB 2.0 A N A GENT... profiling and crawling methods for Web 2.0 applications and SOA components CHAPTERS 7 AND 8: XSS AND CSRF FOR WEB 2.0 We discuss the XSS attack vector and its security implications for Web 2.0 applications A Web 2.0 application can run with DOM-based XSS, and it is important to Introduction xvii detect that It is possible to inject malicious code in the XSS injection points such as eval(), document.write, and. .. RSS/Atom, JSObjects, and so on since they are critical sources for information transfer between the layers We also include a brief overview of SOA with Web services and related architectures such as Web- oriented architecture (WOA) and SaaS T 13 14 Web 2.0 Security: Defending Ajax, RIA, and SOA W EB 2.0 T ECHNOLOGY L AYERS : B UILDING B LOCKS N EXT G ENERATION A PPLICATIONS FOR Web 2.0 is a combination... shown in Figure 1.2, we have a sample start page Web 2.0 application FIGURE 1.2 Web 2.0 application information flow 8 Web 2.0 Security: Defending Ajax, RIA, and SOA As illustrated in Figure 1.2, the application has its own database and authentication server When the end user accesses the start page from the browser, the application loads several Ajax- and Flash-based components in the browser that... tactical attack vectors and defense strategies are addressed in detail, while focusing on Web 2.0 Here is the flow of the book in a nutshell xv xvi Introduction CHAPTERS 1 AND 2: FUNDAMENTALS AND I NTRODUCTION TO WEB 2.0 SECURITY Understanding Web 2.0 technology vectors and architecture from a higher-level view along with information flow analysis is important We cover some real-life Web 2.0 applications... security concerns surfaced 4 Web 2.0 Security: Defending Ajax, RIA, and SOA Frameworks and speed Scripting languages had their own problems, and that is where frameworks came into play along with application servers (WebLogic, WebSphere, NET framework, etc.) Reusability (objects and middleware) and increased speed made developers’ lives easy Asynchronous, service driven, and user friendly Now focus . of SOA 21 4 SOA Layered Architecture 21 5 SOA Server-Side Architecture and Code 21 7 Web Services and SOA Security Framework 21 8 XML Message: A Torpedo of Web 2. 0 Applications 22 0 Contents vii SOA. Peek Ahead Web 2. 0: Technology Vectors and Architecture Web 2. 0 Application Information Sources and Flow Real-Life Web 2. 0 Application Examples Growing Web 2. 0 Security Concerns Web 2. 0 Real-Life. Layer 40 Conclusion 45 Contents v 3 Web 2. 0 Security Threats, Challenges, and Defenses 47 Web 2. 0 Security Landscape 47 Web 2. 0 Security Cycle and Changing Vectors 49 Web 2. 0 Attack Points and Layered