Forging Request Headers Using Flash
Flash, the popular browser add-on from Adobe, has been found to facilitate the sending of HTTP request headers from within the scripting used in its Flash ActionScript. Simply put, the ability of a hacker to cause a victim’s browser to send HTTP requests to third-party Websites has many serious security implications:

Browsers in general are limited by how large of a potentially malicious payload can be sent in a forged request header. This browser limitation was thought to have reduced the risk of the recent Apache Expect Header vulnerability. Malicious hackers quickly figured a way around the browser limitation by packaging the forged requests into a Flash file. The specially coded flash file would deliver the full malicious payload without the size restriction of a typical browser. Hence, the risks associated with the Apache Web server Expect Header vulnerability were greatly increased as a reliable delivery vehicle was found in Flash.

The ability to forge HTTP request headers has been successfully demonstrated with Microsoft IE 6.0 as well as Firefox 1.5.0.4 while running either Flash 7.0X or 8.0X.

Backdooring Media Files
Using the scripting capability of one product to exploit a vulnerability in another is nothing new in our Web 2.0 world. We have seen this used successfully with Flash and QuickTime and have seen a theoretical backdooring exploit with PDF files. However, recently we have seen a move to backdooring even more popular media file types – MP3 files – with proof-of-concept code.

Risk Mitigation Considerations in a Web 2.0 World
Risk mitigation of Web 2.0 threats begins with closing the doors opened by the evolution from Web 1.0. While the risks are many, the vast majority involve malicious hackers hiding their handiwork in areas that remain uninspected in our Web 2.0 world. Among the greatest risks are the ability to a pend JavaScript for the purpose of creating Websites to host Web-borne malware, and the insertion of URLs in social Websites and blogs. We can no longer afford to apply an implicit trust in Web services.

The first suggested layer of defense and risk mitigation is next-generation reputation technology. Fortunately, many of the Websites that host malware or malicious code are easily identified by reputation defenses and effectively blocked. The recent widespread Greeting Card spam e-mails that direction users to malware-downloading Websites demonstrated just how effective the use of reputation-based defenses can be. 

Anti-malware should be the second layer of defense for Web 2.0 threats. It requires that all traffic returned from a user’s GET request to an Internet-based Web server must be fully inspected for malicious intent. Unlike traditional anti-virus solutions that rely on signatures of known attacks to identify threats as well as heuristics, “anti-malware” in this case refers to technology that analyzes a returned HTTP request for scripted code that is of malicious intent. The breadth and depth of knowledge of scripting languages, such as ActiveX and JavaScript, as well as the ability to decode typical encoding techniques determine the effectiveness of such an anti-malware solution.