Ok I know I’m a little early but here’s my yearly list of application
security predictions. Admittedly I may be a year or two early on a few
of them, however read them over and give them some thought.
Rich Internet Applications (RIA) .net 3.0 WPF and Adobe Flex
The next big buzzword is going to be
Rich Internet Applications (RIA) even if you don’t like it. We haven’t seen the end
of thick client side applications as Microsoft (in WPF .NET 3.0), mozilla’s (XUL) and Adobe (Flex) are going to show us. These RIA
applications are going to change the way we use the web there’s no doubt, and I’m not just jumping on the hype
wagon early. Users will begin to see these applications appear, get used to them and expect them to some extent.
RIA is the next AJAX (Double meaning implied :).
XSS, Phishing and Worms will continue
Cross site scripting isn’t going
away and as a matter of fact is only becoming more and more useful. Worms crossing over to handheld devices wouldn’t be
surprising. Even worms borrowing CPU cycles to perform a task in a similar fashion to applications like SETI and
distributed.net wouldn’t be to surprising. Attacking larger communities involving banking transactions with both phishing
and XSS utilizing CSRF will begin
which is a nice segway to my next prediction.
Cross Site Request Forgery Will emerge
CSRF is in its infancy and is now
what XSS was 4 years ago. The power of Cross Site Request Forgery will become apparent once the first site exploited for financial gain reaches
the media. Once money theft becomes involved expect regulatory changes including possible compliance guideline changes.
Frankly I’m beyond surprised that a web worm hasn’t taken advantage of this already.
Web Feed Exploits
I gave a talk last year at blackhat about rss and atom feed
vulnerabilities and included it in my list of 2006 predictions (so I had a little inside knowledge big whoop :). Since that
talk multiple advisories have been published and people are slowly starting to catch onto the things that you can do with Web
Feeds including how they are used. Expect more from this area as well as a potential worm.
The Browser History Theft Business
As I spoke about previously it is possible for a
marketer/attacker/person to identify which websites that you’ve visited, how you got there, and which pages you visited on
that website by exploiting functionality in CSS. This can be used by phishers
to see which sites you frequent to identify which website they should be phishing next. Expect to hear more about this
in the upcoming year. Read
this post for more information on what can be done.
