The definition of Web 2.0 is still being debated despite extensive discussion. Its staunchest advocates proclaim it a complete philosophical and technological reworking of how the web functions. Others declare that it is meaningless. However, most agree on common characteristics of a Web 2.0 application, such as increased interactivity, the acceptance of user input for building community and a reliance on client-side functionality. Additionally, Web 2.0 applications can be more vulnerable to exploitation by hackers than their predecessors. Hackers spend most of their time gathering information. When Web 2.0 applications push functionality and code to users, they provide hackers with information that can be used for formulating attacks. Often, old attacks such as cross-site scripting become more dangerous when used against Web 2.0 applications. This white paper defines some of the common technological components of Web 2.0 applications and discusses ways of securing them against exploitation.

Web 2.0 components
Web 2.0 uses the web for delivering information that is often created through community contribution. Wikis and blogs are good examples of these types of appli cations. The main attribute of a Web 2.0 application is interactivity. More functionality is on the client, and less is on the server. As a result, requests are updated in the browser without refreshing the entire page. For example, consider Google Maps. Instead of a static page, you can drill down or zoom in and out of a map without making requests for a new page. You can use several key technologies—or more appropriately, groupings of different technologies—to create Web 2.0 applications. The following are some of the most frequently used:
Ajax, Asynchronous JavaScript™ combined with XML, increases a web application’s interactivity, responsive- ness and usability by exchanging small bits of data with the server so that the entire page does not need to be refreshed every time a user makes a new request.
RSS, Really Simple Syndication or Rich Site Summary, is a collection of “feed” formats for publishing frequently updated content, such as news or blogs.
JSON, JavaScript Object Notation, is used with JavaScript in the same way that XML is used with Ajax.
Flash is a popular way to add video and interactivity to websites. Most browsers support Flash and contain a client application to run Flash files.
SOAP, Simple Object Access Protocol, is used by most web services to send XML data between a web service and a client web application making a request.
REST, Representational State Transfer, increases a web application’s response time and server-loading through caching. Most blog sites are based on REST rather than RPC (Remote Procedure Call). They download an XML
RSS feed file that contains links to other resources. Used together or separately, these technologies have increased the flexibility of web applications. However, when implemented without security considerations, application inputs can be vulnerable, and old attacks can gain new traction.

Download pdf Securing Web 2.0: are your web applications vulnerable?