Operation n

Is it just me or is it cold in the security room? Has anyone noticed that the security community is having a hard time letting go of “traditional” vulnerabilities and welcoming the new? I am not saying that *Overflows, Format String vuls etc are finished, in fact I think they will be around for some time. What I am saying is that Web 2.0 is the “new order” on the net. Rich Internet Applications (applications that support the same features as a desktop application) are becoming more and more popular (i.e. Adobe’s Flex 2 RIA framework) and the web is growing with a plethora of development possibilities.

What does this mean? It means a revamp and upgrade of “traditional” hacking terminology. For example, the term “Backdooring” traditionally means: “… a method of bypassing normal authentication or obtaining remote access to a computer, while intended to remain hidden to casual inspection. The backdoor may take the form of an installed program (e.g., Back Orifice) or could be a modification to a legitimate program.” - WIKIPedia:Backdoor

So we embed malicious code into a Flash, PDF, DOM, HTML, Quicktime etc. Can this code be used to “bypass normal authentication?”, absolutely, can it be “hidden from casual inspection”, certainly.

I think last year we saw alot of exploitation of the “low-hanging” fruit. Why is this possible in the first place? because no one has cared until now. We have made a good start but I fear we only scratching the surface when it comes to Web 2.0 Hacking.