Presented by: Prof Mark Baker ACET, University of Reading Tel: +44 118 378 8615 E-mail: Mark.Baker@computer.org Web: http://acet.rdg.ac.uk/~mab A General Introduction to Web 2.0 Technologies and Applications [email_address] March 23, 09
The terms became more significant after the O'Reilly Media Web 2.0 conference in 2004.
Tim O'Reilly said that “Web 2.0 is the business revolution in the computer industry caused by the move to the Internet as a platform , and an attempt to understand the rules for success on that new platform” …
Many of us back in those days really wondered exactly what Web 2.0 was…!?
At that stage we thought the Web 2.0 stack was fairly empty… but since those days the extent that people collaborate, communication, and the range of tools and technologies have rapidly changed.
AJAX is non-trivial, it requires deep and broad skills in web development .... but the benefits to be gained can be huge compared to classic web applications.
AJAX enables major improvements in responsiveness and performance of web applications, e.g. used at Yahoo! Mail, Google Maps, live.com, and others.
AJAX is NOT hype – it is very real and very useful for highly interactive applications.
[email_address] March 23, 09
It needs cross application features with a solid security model.
For example - currently, one area that has not been solved in Web 2.0 is that the browser does not sandbox the various Web 2.0 components that you may need to use.
So for example if you are using mashups from various sources (google/amazon/yahoo) within the browser the JS from one component can interact with the JS of another component, play with your cookies and probably screw other browser hosted components!
Google search - Web 2.0 security issues - gave MANY hits!
Many area of Web 2.0 that are open security issues, probably AJAX is one of the biggest!
A Web page's input fields often fail to distinguish between innocent user data - information like names or dates - and malicious commands,
When a hacker's hidden instructions are entered into a Web site's input forms, the site may confuse them with user data and pull the commands into its SQL database, where they can become integrated into the database's code.
That lets the hacker access the site's data or add commands to the page so as to infect a visitor with malicious software,
A survey of major Web sites by the Web security firm White Hat Security found that 16% of sites were vulnerable to this tactic.
Cross-site request forgery, sometimes known as "sidejacking”, takes advantage of a vulnerability that is common to password-protected Web pages.
When a user logs in to a private site their identity is marked with a "cookie” - a temporary file downloaded to a user's browser.
But if that user can be tricked into visiting a malicious site, while still logged in to that password-protected page, the second site can secretly steal his or her cookies, and with them, the user's access to the first site's private information.
About two out of every three Web searches starts at Google.
So, it seems, do many attacks on Web sites.
"Google hacking" uses the search engine to probe the entire Web for sensitive information or hackable vulnerabilities in code.
Just by entering the right search string, for instance, hackers are sometimes able to find repositories of credit card information or social security numbers stored on the Web.
Recently, an attack seeming to originate in China used Google to probe the Web for sites vulnerable to a certain strain of SQL injection, targeting more than half a million pages and infecting them with malicious software.
In some cases, "hacking" a Web site is as simple as changing a single digit in a Web address.
By shifting the characters in a page's address that refers to a name or date, a malicious user can sometimes gain access to pages they are not intended to see, a process security professionals call "forced browsing.”
In 2006, Phil Angelides, a Democratic contender in the California gubernatorial campaign, was accused of hacking rival Arnold Schwarzenegger's Web site and obtaining a confidential audio file.
But a source close to the Democratic campaign told News.com that Angelides' aides had merely tampered with a URL to find the file.
As much as Web sites try to hide their inner workings from hackers, some pages reveal information in signs as subtle as how quickly they load.
Security researchers have shown that software that guesses random usernames on a Web application's login page sometimes reveals which usernames are valid even without a password - that is because a valid username causes the site to pause for a slightly shorter time than an incorrect username would.
In some cases, spammers can use that simple trick to collect thousands of valid e-mail addresses, which they then target!
In a 2005 issue of the hacker magazine 2600, another researcher revealed how to use timing analysis to determine the dealer's hand in an online blackjack gambling site.
More and more people are using Web 2.0 technologies – the other speakers within this workshop will present and show how these technologies and ideas are helping their research.
Some people like the ideas related to Web 2.0, other feel they are not good!
There has been a lot of discussion on the Internet about Web 3!
Jim Hendler sees Web 3.0 as the “ Semantic Web technologies integrated into, or powering, large-scale Web applications ”.
From my own view point, Web 3.0, will probably be the integration of Web 2.0 and the Semantic Web.
[email_address] March 23, 09