What on earth is Web 2.0? Web 2.0 carries a high profile and surrounding hype. Developers must surely be feeling the heat to quickly adopt the new second generation of dynamic, interactive and simple by design technologies.

Web 2.0 is the term pioneered by O’Reilly for new generation Web applications.Live.com, start.com, Google maps, Google Docs, YouTube, Flickr, and MySpace are few examples. Adaptation of this technology vector has changed the web application development approach and methodology significantly.AJAX (Asynchronous JavaScript), RIA(Rich Internet Applications) and Web Services form the core components of Web 2.0applications.

AJAX delivers a rich user interface by displaying more dynamic content. Another common technique is Real Simple Syndications feeds (RSS), an XML based standard that allows subscribers to promote information feeds. This is most commonly used to subscribe to blogs and news articles. AJAX and Rich Internet Application (RIA) clients are enhancing client-end interfaces in the browser itself. XML is making a significant impact at both presentation and transport (HTTP/HTTPS) layers. To some extent XML is replacing HTML at the presentation layer while SOAP is becoming the XML-based transport mechanism of choice.

With Web 2.0, the functionality and experience of the sites become the primary focus, and the technology empowering the dynamic content is hidden behind the scenes to the average user. Yet the web applications underneath the polished finish remain just as complex, and add a variety of new and often unproven or unsecured technologies to the back end. Worms like Spaceflash, Yamanner and Samy are exploiting “client-side” AJAX frameworks, providing new avenues of attack and com promising confidential information. They carry remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself providing new openings to applications. On other side, RIA frameworks running on XML, Flash, Applets and JavaScripts add new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.

Did u hear something like ‘CrossSite Request Forgery’ or something like ‘XML Poisoning ’or‘ Malicious Ajax Code Execution in AJAX’recently? Well, all these term sare the modern attacks found in the new web technology. Media reports show regular coverage of the larger companies, such as MySpace suffering from a QuickTime XSS worm, Yahoo Mail recently being hit by a Yamanner worm attack, and even Google Mail has had to overcome XSS problems.

Weakness in security is not intrinsic to Ajax. Ajax can consume XML, HTML, JS Array and other customized objects using simple GET, POST or SOAP calls; all this without invoking any middleware tier. This brings in relatively seamless data exchange between an application server and a browser. Information coming from the server is injected into the current DOM context dynamically and the state ofthe browser’s DOM gets recharged.

Download pdf Jeopardy in Web 2.0