lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 1 Sep 2007 00:10:20 +0100
From: "pdp (architect)" <pdp.gnucitizen@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	"OWASP Leaders" <owasp-leaders@...ts.owasp.org>, 
	"Webappsec @securityFocus" <webappsec@...urityfocus.com>, 
	"WASC Forum" <websecurity@...appsec.org>
Subject: WHITE PAPER: For my next trick… hacking Web2.0

After several month spent in research on Web2.0 Insecurities I've
decided to sit down and write a whitepaper. The paper quickly became
rather blurred due to enormous amount of notes I've collected on this
subject. This is the reason why it was later restructured into
stories, which provide a lot better medium for understanding the
content.

http://www.gnucitizen.org/projects/for-my-next-trick-hacking-web20/
http://www.gnucitizen.org/projects/for-my-next-trick-hacking-web20/web2.0hacking.pdf
http://docs.google.com/Doc?id=dfpvfkxn_48f87xsv

    For some Web2.0 symbolizes the start of a new era of the Web, for
others it is merely a marketing buzzword designed to hook unaware
venture capitalists on the Web2.0 hype.

The term Web2.0 appeared for the first time in 2003 at a conference
organized by O'Reilly media. The event, simply titled "Web 2.0″,
attempted to reference the second generation of web technologies such
as social communities, server oriented architectures, Wikis, blogs,
collaborative environments, AJAX, etc. Since then the term has become
widely adopted across the entire Web industry and it has been used
ever since to describe innovation.

In simple words, Web2.0 outlines the technological, philosophical and
social superset of what we used to know as just the Web. Although we
know that the Web is not bound to any version number, it makes our
lives a lot easier to do so, so we can refer to a particular set of
features. The features of the Web2.0 era are rather blurred due to the
enormous amount of different opinions on the matter but we all agree
that they must include things such as feeds, data aggregators,
collaborative environments, social networks, client-side technologies
and SOA (Server Oriented Architecture).

Although Web2.0 has improved our ability to freely communicate and
share via the means of the Net, it has brought some unimaginable
dangers and as a result it is insecure. Web2.0 security is very much a
collection of every single security aspects of its components. On
their own they are just simple system abnormalities, but when put
together they create a problem worth our attention.

In this paper we are going to outline some of the dangers of Web2.0 by
combining fictional stories with technology that is real. Each story
begins with a prologue, which introduces the problem, and finishes
with a conclusion, which summarizes the attack techniques that are
described within the story context.

Cheers

-- 
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ