Last year I spent a lot of time playing with web application security. Rogan Dawes himself showed me how to use WebScarab, I got my head around ParOS and learned the basics: SQL injection, XSS, request forging etc. This has been more than enough to keep me busy gnawing at any web applications I came across. Most of these vulnerabilities are pervasive enough to not really require much further hacking, but the web is much more broken than I, and I'm sure many of us thought.

The leaders of this charge are luckily some of the good guys. I highly recommend you start reading their blogs:

• Rsnake of ha.ckers.org
• Jeremiah of jeremiahgrossman.blogspot.com
• pdp of gnucitizen.org

There are others of course, but these three are talking about it.

Ok, let's get into this. First off, most security people don't understand why this stuff is important. I presented CSRF attacks to my team last week and I'm not sure if even I got the implications of this new round of attacks. PDP has had similar problems and has put together a nice breakdown. Honeynet has also put together a nice KYE with: Know your Enemy: Web Application Threats (thanks to Tor Houghton for this link).

Essentially, the web is taking over, but we all knew that. It is used for lots of important stuff. To support this, browsers and the underlying HTTP protocol are packing in a whole lot of functionality. The simple inclusion of the XmlHTTPRequest() is what lead to the AJAX binge, and we're just getting started. But all of this is built on a stateless, insecure mechanism that allows requests to be thrown all over the place. This is why the web has grown so quickly, you can slap up a fairly powerful web app and have it integrate and leverage off all sorts of juicy stuff like technorati, digg, del.iciou.us, google API etc. What's scarier is this whole SOA craze, which is taking traditionally protected, non-web, applications and giving them a whole new level of exposure.

This has left us with a hugely powerful browser, and this power is starting to be exploited. JavaScript is a huge culprit; it's basically a walking remote code execution machine. The idea that your browser will execute code provided to it by web pages was a silly one, and it lets you do all sorts of nasty stuff. Internal network discovery and fingerprinting, combined with a CSRF and (ever increasing ways of pulling off an) XSS attack (including two way communications) can help you own far more than an alert box bravely shouting 'XSS'. Have a look at how they were combined for the Drive-By Pharming attacks, Google Desktop 0wnage and Death by 1000 Cuts. These are *must read* examples. Combine these sorts of moves with something like anti-DNS pinning and the web becomes an even scarier place. View Joe Walker's presentation for a clear overview of what these problems are and how they work.

However, if the trickery of JavaScript based attacks are Web Hacking 2.0, then these next round of attacks are Web Hacking 2.1. The clever boys I mentioned earlier are figuring out ways of doing all of this *without* JavaScript. RSnake just posted his demo of Jeremiah's original CSS history stealing attack, modified to without JavaScript. He summarises this new wave of attacks nicely:

So now we've eliminated the JavaScript pre-requisite from Intranet port scanning, cross site request forgeries, session riding and of course CSS history hacking. The only thing we can't yet do without JavaScript is read cross domain (and I stress the word yet). What else is left? I don't mean to sound ho-hum about this, but really, what else do we have to do? Are there any nay-sayers left?

Many of these attacks rely on functionality intrinsic to a browser (see: likely to not be removed); for example you're not going to stop browsers making a GET for each <img> tag any time soon. But these aren't the only tools available, new browser vulnerabilities are being found all the time. Take Michal Zalewski's latest round of browser exploits for example (focus bugs, location, blank, bookmark, srand(), unload, tailgate, trap), and many of these don't require more than a morning coffee to find.

In short, web application (in)security has just been pushed to a whole new level. We as a security community need to wrap our heads around this and start figuring out decent ways of protecting and defending against this. In the meantime, you can borrow some of my tinfoil.