Web 2.0 Application Kung-Fu - Securing Ajax & Web Services presented at DeepSec 2007

by Shreeraj Shah,

Summary : With Web 2.0 applications being adopted by businesses at a very quick pace, security concerns around these technologies too have grown. Ajax and Web Services are key components in the Web 2.0 framework. Understanding new technology key components vis-à-vis attack vectors is imperative if the security concerns are to be adequately addressed. Financial services companies such as Wells Fargo and E*Trade are adopting Web 2.0 technologies by building next generation Enterprise 2.0 solutions. Ajax fingerprinting, crawling and scanning are key aspects for Web 2.0 threat profiling. It is possible to identify XSS and XSRF vulnerabilities and likely weak entry points on the basis of proper threat profiles. As ethical hackers, scanning and fuzzing must be accomplished before attackers have the chance to exploit vulnerable Web Services running on XML-RPC, SOAP and REST. This presentation is going to reveal methodologies, techniques and tricks to hack Web 2.0 applications and defense strategies to secure them. The presentation includes a number of demonstrations and real-life cases encompassing next generation attacks and defense. The speaker has already authored several tools – wsChess (Web Services hacking toolkit), Ajaxfinger, ScanAjax and MSNPawn – that will be demonstrated in detail.