Grey hat hacking web 2.0 applications

Abstract

The term Web 2.0 refers to a perceived new generation of web applications that aim to facilitate communication and interoperability. Social networks, Wikis and Blogs using technologies such as asynchronous JavaScript and XML (AJAX) all fall under the Web 2.0 umbrella term. However, this new generation of technologies has also brought with it a new, different set of vulnerabilities ready to be exploited. The desire for innovative technological development instigates competing web development companies worldwide to acquire and make use of the latest technology in order to enhance their competitiveness within the international market. This often means that security testing activities are typically constrained by strict time frames to deliver a product. This will often result in incomplete vulnerability and security testing and the possibility of a vulnerable product. Late 2005, the Samy XSS Worm was released across the MySpace social networking site and infected over one million users in just 20 hours of its release using a simple Cross Site Scripting security vulnerability which allowed it to propagated and spread rapidly. In May 2010, a security flaw found in Facebook's browser chatting system- a Web 2.0 feature, allowed any user to view live chats of their friends. These security scares emphasize the significance of penetration testing since the consequences of such system deficiencies might provoke devastating effects upon millions of online users. This is where exploitation frameworks come in. An exploitation framework, such as the open-source Metasploit framework, will provide developers and penetration testers with the tools to rapidly test their applications for known vulnerabilities. This facilitates their job of exploitation and post-exploitation making it easier and faster. These frameworks have a constantly growing community-driven library full of exploits and payloads which have been already developed and ready for re-use. Even though Metasploit is already a huge project in its own right, it is currently focused on exploiting low level system vulnerabilities and lacks the necessary tools to exploit modern Web 2.0 applications.