The Secure Enterprise 2.0 Forum released their 2009 Industry Report, Top Web 2.0 Security Threats this week, and the results of the research are eye-opening.

According to the announcement:

The report highlights threats that are specific to Web 2.0 technologies, as well as “older” threats that are made more pernicious through “Web 2.0-type” behavior, such as wide-spread content sharing, community participation, and viral distribution of applications, widgets, and content.

These threats include the following:

• Cross Site Scripting (XSS) – malicious input is sent by an attacker, stored by a system, and then displayed to other users. Systems that allow users to input formatted content, such as HTML, are more susceptible to XSS and malicious scripts. This type of functionality in which many users can create content viewed by other users is typical to Web 2.0 systems such as social networks, blogs or wikis, making Web 2.0 applications especially vulnerable to XSS. Web 2.0 applications rely heavily on user-generated input. In order to allow the user great control over the content design, applications often allow HTML tags that are not safe and can be abused for XSS.
  
• Cross Site Request Forgery (CSRF) / Cross Gadget Request Forgery (CGRF)- the victim visits a malicious web site. While content is displayed on the victim’s browser, the malicious site code generates requests to a different site to which the victim is authorized, for example through a persistent cookie. Such requests can perform operations on behalf of the victim, even across insecure gadgets on the same web page.
  
• Phishing – the victim receives by email a request to install a fraudulent widget, or is redirected to a fraudulent web site in order to fill an online form with sensitive information.
  
• Information Leakage – Web 2.0 applications promote user-generated content and thus blur the line between work and private life. As a result, users may publish as part of their web presence, information considered sensitive by their employer. Even if users are careful and do not leak information that is by itself sensitive, the aggregation of many small data items may be unacceptable.
  
• Injection Flaws – Web 2.0 is vulnerable to new types of injection attacks, including XML injection, XPath injection, JavaScript injection and JSON injection. In addition, because they rely heavily on client-side code, Web 2.0 applications more often perform some client side input validation which an attacker can bypass.
  
• Information Integrity – Information correctness is one of the key elements of data security. While we usually think about loss of integrity due to a malicious hack, unintentional misinformation also leads to loss of integrity.
• Insufficient Anti-Automation – The programmatic interfaces exposed by Web 2.0 applications enable an attacker to automate attacks. Two examples of automation include brute force attacks and CSRF. Other examples include automated retrieval of a large amount of information and automatic opening of accounts, for example as part of a phishing attack.

“Companies can address these security vulnerabilities head-on by enforcing strict policies, coupled with unique technological safeguard mechanisms,” said Ofer Shezaf, web security expert and author of the report.  Unfortunately, Ofer does not elaborate on how such strict polices would be enforced.  Hopefully large, heavy mallets and chairs wired with electrodes are way down towards bottom of the list of options.

The report is available for download from the Secure Enterprise 2.0 Forum website., and more information is included in this article at ReadWriteWeb.