You are here: Home / Archives for Widgets

The Secret of Marketing FHTM Like Professionals

December 27, 2009 by IBI · Leave a Comment 

Where are you spending the bulk of your time in your FHTM Business?

Which one of the four makes you money? Well if you said #4 Making follow up calls than give yourself an A+. No matter what business you are involved in you will have to market /advertise because new business is the life blood of any business, it’s just a fact. So if you are a new home based entrepreneur how will you market yourself and your business to prospective customers?

Well if your experience is limited to T.V., Radio, & Newspaper advertising you may be lost. Do not worry; there is a whole new frontier as a business owner that you can dominate for very little money. The internet will give you more exposure for less cost than any other medium currently available.

Here is a list of your new tools at your disposal:

Is your head spinning out of control, I know there are people on the planet who still do not have a computer, or consider themselves computer illiterate, no matter what your experience the above tools are easily adapted to your level & experience. Most of the tools have step by step video instructions that show you exactly what to do. You can actually follow along on your computer while the video plays.

The trick to this whole thing is to make yourself familiar with all of the tools in your disposal and then to automate as many of them as possible with the push of the button.  There are many services to help you automate these tools, one of the best is Wordpress.com, and they have created widgets that help to automate many functions on your webpage. By automating as much as 80% of your marketing /advertising you will have the new leads you need to continue business growth, and you can concentrate your efforts on closing new business with your follow up calls.

Vic Garlington has been a long time proponent of home based business. He currently shows people how to make various forms of residual income. You can reach him at info@fhtmsystemreview.com

Filed under Wordpress · Tagged with , , , , , , , , , , , , , , , , , , , , , , ,

The Basic Components of a blog Are you curious about blogging?

November 19, 2009 by IBI · Leave a Comment 

Are you curious about blogging? Do you feel it’s time you took the plunge and started a blog of your own? Here’s a straightforward beginner’s guide to the world of blogging.What is a blog?At a basic level, blogs are websites in which individuals can write about themselves, their thoughts, feelings, and concerns about any subject that interests them. For more details For example, a horse rider might have a blog about horse riding, and the contents of that blog would be all about how she learnt to ride, what equipment she uses, what her thoughts are about various aspects of riding, competing, or just enjoying her life with horses. Someone else might have a blog about traveling, and he might post updates on the new places he’s seen, what he has experienced there, and what advice he offers fellow travelers. As you can imagine there is no limit to the types of blogs and thousands more are started each week.

blogging, blogger,blogspot,make money from blog

Regardless of the design of a blog, most will contain the following elements:

blogging, blogger,blogspot,make money from blog

* Posts – these are the updates added to the blog by the author or any contributor. They can be a few lines or a whole article of several hundred words.

* Comments – these are the responses and reactions from the blog readers to posts by the author,blogging, blogger,blogspot,make money from blog

* Plug-ins – optional extras that a blog owner can add in order to add to the features on the blog. These might be a plug-in which allows the author to display pictures or adverts in the sidebar of the blog, or it might be something that increases the likelihood of the blog being found by search engines. There are thousands of plug-ins available and more are being devised all the time.

* Widgets – like plug-ins, widgets enhance the display or add to the functions on the site. For more details www.blog-link-generator.com For example, you might want to use the calendar widget so that a calendar appears in the margin of your blog and the days on that calendar are hyperlinked to the posts (updates) you added on that particular day.

* Blogroll – a list of links to other blogs that the author recommends

* Theme – each blog design is known as a theme. There are many hundreds freely available and there are commercially produced themes which anyone can buy. Some bloggers even go as far as having a theme tailor made to their specifications.

How do I get started?

If you are familiar with using the Internet and sending email then getting started in blogging should be very easy for you. You don’t need to know how to build a web site and you won’t need to learn any new skills. All you need to do is register for a free blog at one of the many sites that offer this service. For example, there’s Wordpress, Blogger, or Technorati. Once you’ve registered at one of these sites you can start one or several blogs. As a beginner you’ll probably want to start just the one for now so that you can learn the basics and get used to the various areas. Make good use of the FAQ pages and User Guides on any of these sites. They are generally clear and easy to understand and are there to help you.

Your First Blog

So you’ve registered and created your first blog – now what? Well, this is the fun part, or the difficult part depending on your point of view. The important thing is to adopt the habit of posting as frequently as possible. Add fresh content to your blog as often as you possibly can. This will probably be easy at first, especially if you have started a blog about your favourite pastime or hobby. You’ll be enthusiastic and you’ll have plenty to say so by all means add plenty of posts, but keep something back so that you can keep up the momentum of posting as the weeks pass by.

In my next article I will describe how to enhance the look and feel of your blog, how to interact with other bloggers, and how to make your blog more attractive to search engines so that people will find it. After all, you’ve decided to express yourself so you will need to know how to attract some blog readers!

author is renowned earn money from blogging
 is provided free in internet

author is renowned blogger can make money
 is provided free in internet

Filed under Blog Design · Tagged with , , , , , , , , , , , , , , , , , , , , , , , , ,

How Free Blog Templates Improve Your Website

November 19, 2009 by IBI · Leave a Comment 

Whether you’re using blogging to write your musings online or to promote the products or services you offer, making the right impression is still vital. There are ways to retain your readers and one of the most effective is incorporating a great free blog templates. You don’t have to worry, though, because these are certainly aplenty. You don’t even have to hire a professional to do them for you since there are several user-created templates out there.What are templates? Templates are the total outline of your website; from the header design to the number of columns, the pattern you need will be in the template. There are several kinds of templates online but free blog templates are probably the most widely-used because they’re tremendously accessible and easy to use. What can it do to your website? Templates can put character in your website. It’s typical for blog hosts to provide a generic template – the basic design you would use for the website. Although most of them also offer other variants, it’s easy to run the risk of typicality. So to separate yourself from the other blogs out there, templates are your answer. Several free blog templates are easily customizable, giving you plenty of room to improve it. This is also tremendously beneficial in helping you inject your own personality to your website. You can easily attract the attention of your intended readers, for instance, by using a great header design. The color scheme of most these patterns are also easily changeable. This characteristic makes it easy for you to truly incorporate your theme in the blog. Moreover, you can effortlessly add widgets or gadgets to your website through a good pattern. Adding photo slideshows, video section, calendar and other plug-ins you can think of will be easy through these types of templates. Where to find free templates? Fortunately, these patterns are everywhere. By using a search engine, you can easily gain access to a treasure trove of user-created templates, ready to be integrated in your own website. Many websites even offer easy download interface and how-to’s for beginners. You can even find templates at user-owned blogs. Designers who create free styles sometimes put up their own websites to offer others a chance to use unique and playful website patterns. So the next time you want to change the look of your website, use free blog templates for quick and easy improvements. Mark Michael Ferrer Free Blog Templates

Filed under Blog Design · Tagged with , , , , , , , , , , , , , , , , , , , , , , , , ,

Most Blogs Come Available With Widgets or Plug-in

November 19, 2009 by IBI · Leave a Comment 

If your attempts to make money blogging continue to elude you, rest assured that you are not alone. As simple as the concept of blogging may be, many fail to realize their goals. It should be noted that although these goals vary from one blogger to the next, the obstacles often times responsible for their lack of success are the same! These obstacles develop within 4 areas:Blog Set-UpYour blogging platform should reflect a feel for who you are and on what subject you are blogging about. The layout or format will go a long way towards accomplishing this so spend some time and thought in this area and have fun with it. And while we’re on the subject of the layout, for more details visit to www.your-own-blog.com be sure yours is not too cluttered and can be navigated easily by any visitors. Encourage your readers to leave comments and make it easy for them to do so.The site should also be optimized properly for the search engines thereby enabling the people interested in your subject to easily find your blog.. Don’t overlook this part of the setup.Generate Targeted TrafficPut the effort into seeking out targeted traffic to your blog. Let people know you exist and what you’re all about. Visiting forums, for more details visit to www.blogers-guide-to-profit.com social network sites, and perhaps writing articles are great ways to increase your exposure and also pick up new ideas for both your blog design and also what to blog about within your particular niche.Continued Research and EducationContinually find new sources of information for your own education and for content. Failure to do so will eventually kill both your dream and your blog. You’ve hopefully chosen a subject in which you have an interest if not a full blown passion. It is this interest or passion that will keep you motivated to regularly seek out the fresh news and information that will sustain the life of your blog.Post RegularlyThis is an area that most have the most difficulty with. No matter what the goals are you have, you will not reach them if you do not keep fresh content on your blog. Search engines love blogs for this very reason. Actually they show a bit of favoritism towards blogs in the search rankings due to the continual cycle of fresh content to be found on them. For this very same reason readers will keep returning to see what ‘new’ on your site.It’s important to point out here that you should not make a habit of posting something just for the sake of having a new post. If you can’t make your post interesting, innovative, revealing, informative, or at least entertaining then it’s time to go back to doing some research.Your research will give your posts some quality while your posts will give your blog the same.No matter if you want to make money blogging or perhaps just gain exposure for one of your passions, attention and effort must be continually given in these 4 areas in order to reach your desired goals.

www.feed-reader-links.com
www.rss-announcers.com

Filed under Blog Design · Tagged with , , , , , , , , , , , , , , , , , , , ,

The Basic Components Of A Blog

November 19, 2009 by IBI · Leave a Comment 

Are you curious about blogging? Do you feel it’s time you took the plunge and started a blog of your own? Here’s a straightforward beginner’s guide to the world of blogging.What is a blog?At a basic level, blogs are websites in which individuals can write about themselves, their thoughts, feelings, and concerns about any subject that interests them. For more details www.greatblogbox.com For example, a horse rider might have a blog about horse riding, and the contents of that blog would be all about how she learnt to ride, what equipment she uses, what her thoughts are about various aspects of riding, competing, or just enjoying her life with horses. Someone else might have a blog about traveling, and he might post updates on the new places he’s seen, what he has experienced there, and what advice he offers fellow travelers. As you can imagine there is no limit to the types of blogs and thousands more are started each week.Regardless of the design of a blog, most will contain the following elements: * Posts – these are the updates added to the blog by the author or any contributor. They can be a few lines or a whole article of several hundred words. * Comments – these are the responses and reactions from the blog readers to posts by the author * Plug-ins – optional extras that a blog owner can add in order to add to the features on the blog. These might be a plug-in which allows the author to display pictures or adverts in the sidebar of the blog, or it might be something that increases the likelihood of the blog being found by search engines. There are thousands of plug-ins available and more are being devised all the time. * Widgets – like plug-ins, widgets enhance the display or add to the functions on the site. For more details www.blog-link-generator.com For example, you might want to use the calendar widget so that a calendar appears in the margin of your blog and the days on that calendar are hyperlinked to the posts (updates) you added on that particular day. * Blogroll – a list of links to other blogs that the author recommends * Theme – each blog design is known as a theme. There are many hundreds freely available and there are commercially produced themes which anyone can buy. Some bloggers even go as far as having a theme tailor made to their specifications. How do I get started?If you are familiar with using the Internet and sending email then getting started in blogging should be very easy for you. You don’t need to know how to build a web site and you won’t need to learn any new skills. All you need to do is register for a free blog at one of the many sites that offer this service. For example, there’s Wordpress, Blogger, or Technorati. Once you’ve registered at one of these sites you can start one or several blogs. As a beginner you’ll probably want to start just the one for now so that you can learn the basics and get used to the various areas. Make good use of the FAQ pages and User Guides on any of these sites. They are generally clear and easy to understand and are there to help you.Your First BlogSo you’ve registered and created your first blog – now what? Well, this is the fun part, or the difficult part depending on your point of view. The important thing is to adopt the habit of posting as frequently as possible. Add fresh content to your blog as often as you possibly can. This will probably be easy at first, especially if you have started a blog about your favourite pastime or hobby. You’ll be enthusiastic and you’ll have plenty to say so by all means add plenty of posts, but keep something back so that you can keep up the momentum of posting as the weeks pass by.In my next article I will describe how to enhance the look and feel of your blog, how to interact with other bloggers, and how to make your blog more attractive to search engines so that people will find it. After all, you’ve decided to express yourself so you will need to know how to attract some blog readers!Copyright 2009 Ben LovegroveBen runs My Footwear; a blog site listing the best in men and women’s footwear, designer shoes and boots, socks, tights, hosiery, stockings, belts and other accessories. Frequently updated with the latest offers from a variety of UK footwear and hosiery retailers

www.building-blog-empire.comwww.blogers-guide-to-profit.com

i love read and write articles

Filed under Blog Design · Tagged with , , , , , , , , , , , , , , , , , , , , , ,

Chpater 3 – The Important Relationship Between AdSense and AdWords

November 18, 2009 by IBI · Leave a Comment 

HTML clipboard

Before continuing further in the AdSense discussion it is important to understand the relationship between Goodle AdSense and Google AdWords. When it comes to pay-per-click advertising AdWords is hands down the Internet leader.

AdWords are those text advertisements that appear down the right hand-side of a Google search page. The ads are directly related to the keywords you use in your Google search. Advertisers are assured that there advertisements are shown to individuals who already have an interest in their product. AdWords is an amazingly powerful and effective advertising platform on the Internet as businesses are able to advertise in a highly targeted manner.

For example, let’s assume you sell widgets. You can set up your AdWords campaign to only to be shown when people type the word “widgets” in the Google search form. Your ad is shown to a person who has some form of interest in widgets. If someone types in “cars” then your ad will not be shown.

Obviously Google wishes to make a profit from AdWords so when an individual clicks on one of these ads Google charges the advertiser for the click. There is no set charge, rather advertisers bid for keywords and ad position. The advantage to advertisers is that their money is not wasted on non-interested parties clicking on their ads. With the AdWords system Google has enabled small businesses to compete in the Internet marketplace without breaking the bank.

AdSense was a follow-up program to AdWords, allowing website owners to get a piece of the advertising pie. As an extension of AdWords, AdSense allows website owners to place AdWords ads on their web pages. The difference regarding which ads are displayed is not determined by search keywords, but rather by page content. As an AdSense member, Google gives you a piece of JavaScript to paste in the code of your web page. That’s it. This JavaScript enables Google to decide which ads are most appropriate to show on your web page and tracks ad performance as well.

Google’s advanced content recognition technology is so intuitive that it determines which country an Internet surfer is from, displaying ads accordingly. For example if your website sells widgets, Internet surfers in the USA would see advertisements from USA widget retailers and British Internet surfers would see advertisements from British widget retailers. When someone clicks on one these of ads from your website the advertiser is charged a fee and you receive a portion.

Google has established safeguards preventing website owners from clicking on their ads to generate income. They can determine if someone is committing fraud and will ban such individuals from AdSense forever. Participating in this fraudulent behavior is stealing and hurts the industry in general. When individuals are caught and banned it is a positive for the rest.

It is advised that you open an AdWords account in addition to your AdSense account. This will become clearer as we address future AdSense subjects. Like AdSense, AdWords is free to join.

This was a basic presentation of how AdSense and AdWords are related. It is important to study this relationship further to succeed in generating and maximizing revenue from AdSense. Many website owners simply join AdSense, insert the code, expecting the dollars to flow. When reality and expectation don’t meet, the website owner becomes disillusioned and abandons AdSense. Like most things in life, success takes work and perseverance. If you’re expecting quick money you need to look elsewhere. However, if you do your homework and grasp these fundamental concepts you’re on your way to doing well.

Published by

AdSensePrimer.com
Copyright 2009 AdSensePrimer.com
All rights reserved.

AdSense Primer’s goal is to provide you with informative articles and educational resources regarding Google AdSense. Learn the tricks of the trade in utilizing Google AdSense as a profit center for your website.

Filed under Adsense · Tagged with , , , , , , , , , , , , , , , , , , , , , , , ,

Just What Exactly is SEO?

November 16, 2009 by IBI · Leave a Comment 

Just What Exactly is SEO?

Search engine optimization, or SEO, is a controversial topic endlessly discussed in the online community. There are those say that the practice is unethical, as it aims to trick search engines, while others say that highly aggressive optimization is necessary for online survival. But just what exactly is SEO? Why is it important, and why is it so controversial?

You can think of SEO as one way of boosting traffic to your site. If you have set up a site for profit or promotion, you will find that even the best designed, informative site will not generate revenue without visitors. There are many avenues by which visitors will come to your site: advertising in print media such as magazines, online pay-per-click advertising, advertising in e-mail magazines, word-of-mouth, domain recognition (i.e., someone typing your site’s domain into their browser), and so on. Many webmasters hope to bring visitors to their site through search engine searches, as this is a form of free traffic. No matter which form of site promotion you choose, you will want to maximize its effectiveness. Pay-per-click ads should be carefully writing, domain names should be carefully chosen, and so forth.

SEO is a way of increasing the amount and quality of the traffic your site gets through search engine queries. For example: your site sells widgets. A potential customer types “buy widgets online” into a search engine and gets 24 pages of results. Most internet users will browse the first one or two pages of results only, meaning the sites appearing on the remaining 22 pages will have very little traffic from search engine queries. SEO is simply a collection of techniques for moving your site up higher on the list for that target search phrase.

Let’s take a moment to look at what SEO is NOT, by dispelling some myths about SEO.

SEO costs thousands of dollars and can only be performed by trained experts. FALSE. Making your pages and sites “friendly” to the search engines is relatively easy. Once you learn the basics by modifying existing pages, it will be easy to make optimized pages in the future. There are many free or inexpensive tools to help with your SEO tasks.

SEO will ensure my site is successful. FALSE. SEO is just one way of increasing traffic to you site. You should never neglect other forms of site promotion.

Since SEO is “manipulating” the system, it is unethical or even illegal. FALSE. SEO would only be illegal if it involves clearly illegal acts, such as credit fraud. Major search engines such as Yahoo and Google have set out guidelines for webmasters. SEO techniques that comply with these guideline are called “white hat” strategies, while those that do not are called “black hat” strategies. A recent term, “grey hat,” refers to tricks that fall somewhere in the middle. A common black hat trick is using hidden text. For example, black text on a black background will give the target keyword and variations dozens of times. Since human visitors do not see the text, much search engines “read” it, this will boost search engine rankings. Black hat strategies are not illegal, but they do conflict with search engine rules. Sites that use black hat tricks may enjoy good rankings for a few weeks or even months. However, when the search engines discover this, the site will be removed from their index. If a site is removed from a major index like Google or Yahoo, people will still be able to visit that site, but the chances of receiving traffic through search engine queries falls to zero. White hat SEO is not only ethical, it is imperative.

Webmasters are free to republish this article, provided that it is reproduced as is, with no editing, and the links are live hyperlinks

John Case is the author of www.easy-learn-to-earn.com, a free guide to making an income online, and maintains an SEO site at http://www.awordsworth1000pictures.com/

John Case is the author of www.easy-learn-to-earn.com, a free guide to making an income online, and maintains an SEO site at http://www.awordsworth1000pictures.com/

Filed under Seo · Tagged with , , , , , , , , , , , , , , , , , , , , , ,

How To Make Money With Google Adsense

November 14, 2009 by IBI · Leave a Comment 

What Is Google Adsense?The good news is Google Adsense is free. It’s a free tool you can easily access and download for free.Once you have your web site or blog set up you can access google adsense to help monetise your site. So what exactly does this mean, well in essence Google are helping you to make money by free advertising on your site. The adverts are paid by other people and when you sign up you agree Google can place ads onto your page.Every time someone clicks on this ad you get a small fee.  It won’t make you a fortune to start with but it’s free and easy to set up. Their are ways of maximising Adsense but for now we’ll just look at the basics.If you have a Google Blog you can access Adsense directly through your dashboard, if you have a word press blog there are many widgets already set up for this or you can create your own plugin by following the step by step guide they come with.The simplest way to set up Adsense is to set up a google account, again this is free. Once you have done this put Adsense into the google search box and you will be taken to the Adsense page. follow the directions and you will see you can customise how you want the ads to look. I personally don’t change anything unless I really need to, just keep clicking enxt until you get to the end. You will then be given a code , just copy this by pressing Ctrl + a and Ctrl + c or use your right mouse button to do this.Now go back to your site and the dashboard and click on widgets. Drag the text box over to the sidebars and then paste your text into the box. This will take about 10 minutes to show up but once it’s there you are all set to make money when anyone clicks on the advert.

The really clever bit is google will match the ads to whatever keywords appear on your site so they look natural and if they should be there.

Find more useful information on Internet marketing on my website new-to-internet-marketing.comThanksNicky

Hi I’m Nicky a 41 year old female from sunny England. Recently I have discovered there is more in the world than working for someone else and I am trying to achieve soem new goals whilst at the same time hopefully helping others achieve theirs.

Filed under Blogging Tips · Tagged with , , , , , , , , , , , , , , , , , , , , , , ,

Choosing your wordpress theme for your blog

November 13, 2009 by IBI · Leave a Comment 

There are many a Wordpress theme.  How to choose one that will enhance the quality of your links and the propensity of people to buy is a task you need to undertake if you want to make money online.

Wordpress themes are available free online if you do a search.  The trick is that you have to leave the link to the developer intact.  If you don’t want to lose any link juice, you can have a wordpress theme developed just for you.

Here are some things to look for in a Wordpress theme – how to choose the best one, in other words.

· Probably the most important thing is that the browser is compatible across browsers.  When you build a site, look at it in Internet Explorer as well as Firefox.  Check it out on PCs and Macs if you can.  You don’t want anyone’s experience on your website to be diminished because the theme is not compatible with their browser.

· The next feature you want to look for is the ability to add widgets to your word press theme.  One of the great features of the word press software is the availability of add on scripts called widgets.  These are extremely easy to upload.  But, if your theme can’t handle widgets easily, it’s not worth it, even if it has a nice look.

· You want your word press theme to load quickly.  If people have to wait seconds to see your site, they will click the back button before you have the chance to make your case.  If you are using a free theme, try loading someone else’s site that uses the theme before you take the trouble to put it on your own site.  If the CSS is compressed, this can speed page load time.

· Is the theme SEO optimized?  It doesn’t matter how good your content is if the search engines can’t find it.  Some things to check for as far as SEO compatible themes include an emphasis on content rather than graphics, have HTML validation, and should display post extracts on archive and category pages.

· Make sure your word press theme has a search capability.  This is a basic item, but there are still some themes that don’t have the compatibility for search.

· Is the theme already overused?  If too many marketers are already using the theme, your web site might have a “me too” feel. 

· If you plan to have ads on your site – either banner ads or Adsense – make sure that the theme supports them in its design. 

· Finally, can you grow with the design?  As your site develops, will you be able to keep the same look and feel?  You don’t want to surprise existing viewers with a new theme without a strategic marketing reason for it.

Choose wisely when selecting a word press theme.  How you make money off your site may depend on the theme you pick.

Hardeep Gill is owner of cheapresalerights where he sell
master resale rights and
private label rights ebooks softwares, videos and more.

Filed under Wordpress · Tagged with , , , , , , , , , , , , , , , , , , ,

Web 2.0 Security Testing Approach

November 13, 2009 by IBI · Leave a Comment 

Introduction:

Web 2.0 can be defined as the evolving trend of www technologies and web design that aim to enhance creativity, communications, secure information sharing, collaboration and functionality of the web1. 0. In contrast to the static nature of Web 1.0, Web 2.0 systems rely heavily upon user generated content. In fact, Web 2.0 has been described as the “participatory Web.” For example blogs and photo sharing services enable consumers to add and update their own content. While the focus of Web 2.0 threats emanate primarily from new usage patterns, several technologies are so widespread in Web 2.0 applications, that security threats associated with them are characteristically considered Web 2.0 security threats. Examples of such technologies include AJAX, widgets, and application platforms such as blogs, wikis and social networks.

Web 2.0 Threats:

Web 2.0 is both a set of technologies as well as a new set of consumer behaviors. The combination of these two elements has created an enormous opportunity for attackers to exploit online resources for “fun and profit.” It is important t o understand the implications of these new risks, particularly when considering employing Web 2.0 technologies for professional and commercial use. Yamanner, Samy and Spaceflash type worms are exploiting “client-side” AJAX frameworks, creating new avenues of attack and compromising some of the confidential information. On the “server-side”, XML based Web services are replacing some of the key functionalities and providing distributed application access through Web services interfaces. These remote capabilities to invoke methods over GET, POST or SOAP from the Web browser itself provide new openings to applications. On other side, RIA frameworks running on XML, XUL, Flash, Applets and JavaScripts are adding new possible sets of vectors. RIA, AJAX and Web services are adding new dimensions to Web application security.

Top Web 2.0 Security Threats

Test Approach:

It is the goal of the our Security research team to further expose these threats as well as to promote the secure use of Web 2.0 technologies for business so that organizations can take advantage of the huge opportunities afforded by this next generation of the Web in order to do more business.

Our Web 2.0 Security Testing Framework comprises of some common web vulnerabilities such as XSS, Injections and CSRF as well as some new threats that are harder to mitigate and may fall into the realm of logic issues such as insufficient authentication and anti-automation. To top that, the abstract nature of Web 2.0 makes something like phishing, not usually associated with web applications into a Web 2.0 problem.

Highlights:

Automated exploitation and accurate vulnerability validation

Comprehensive coverage of all OWASP application vulnerabilities such as Cross-side scripting, SQL injections, HTTP response splitting, Parameter tampering, Hidden field manipulation, Backdoors/debug options, Stealth commanding, Session fixation, Automatic intelligent form filling, Forceful browsing, Application buffer overflow, Cookie poisoning, Third-party mis-configuration, HTTP attacks, XML/SOAP tests, Content spoofing, LDAP injection, XPath injection.

Support for modern websites using JavaScript, Macromedia Flash, AJAX, Java Applets, ActiveX.

Business logic verification and testing.

Combination of automated testing with expert validation & custom exploitation.

Prioritized threat profiling with effective remediation.

The following are the type of tests covered as per our guidelines…

1. AJAX Testing:

Ajax is one of the latest web development techniques to create more advanced and better responsive web application. Though the usability of AJAX provides lots of fruitful features but it also wide opens the possibility of vulnerability to be incorporated, if not designed/developed properly. The conventional web application vulnerabilities are applicable to AJAX based development along with several specific vulnerabilities like Cross Site request forgery (CSRF/XSRF).

1.1 Testing for Cross-site scripting vulnerabilities in AJAX

In the past few months several organizations including Yahoo mail and Myspace.com reported about the cross-site scripting attacks where malicious JavaScript code from a particular Web site gets executed on the victim’s browser thereby compromising information. AJAX gets executed on the client-side by allowing a malicious script to be exploited by an attacker. The attacker is only required to craft a malicious link to coax unsuspecting users to visit a certain page from their Web browsers. This vulnerability existed in traditional applications as well but AJAX has added a new dimension to it.

1.2 Testing for Malicious AJAX code execution

AJAX calls are very silent and end-users would not be able to determine whether or not the browser is making silent calls using the XMLHTTPRequest object. When the browser makes an AJAX call to any Web site it replays cookies for each request. This can lead to potential opportunities for compromise.

1.3 Testing for Client side validation in AJAX routines Today in the era of Web 2.0, most applications use AJAX routines to perform a lot of activities on the client-side such as client-side validations for data type, content-checking, date fields, etc .Now developers often commit mistakes assuming that the validation is taken care of in AJAX routines. These client-side checks must be backed up by server-side checks as well. It is possible to bypass AJAX-based validations and to make POST or GET requests directly to the application – a major source for input validation based attacks such as SQL injection, LDAP injection, etc. that can compromise a Web application’s key resources.

2. Testing for Insufficient Authentication Control

In many Web 2.0 applications, content is trusted in the hands of many users, not just a select number of authorized personnel. That means there’s a greater chance that a less-experienced user will make a change that will negatively affect the overall system. This change in a system’s design can also be exploited by hackers who now have access to a greater number of “administrative” accounts whose passwords can often be easily cracked if the correct security controls are not in place. The systems also may have insufficient brute-force controls, permit clear text passwords, or have been tied together in a single-sign-on environment, making an attack that much riskier.

3. Testing for XML Poisioning

XML traffic goes back and forth between server and browser in many of the WEB 2.0 applications. Web applications consume XML blocks coming from AJAX clients. It is possible to poison this XML block. Not uncommon is the technique to apply recursive payloads to similar-producing XML nodes multiple times. If the engine’s handling is poor this may result in a denial of services on the server. Many attackers also produce malformed XML documents that can disrupt logic depending on parsing mechanisms in use on the server. There are two types of parsing mechanisms available on the server side – SAX and DOM. This same attack vector is also used with Web services since they consume SOAP messages and SOAP messages are nothing but XML messages. Large-scale adaptation of XMLs at the application layer opens up new opportunities to use this new attack vector. XML external entity reference is an XML property which can be manipulated by an attacker. This can lead to arbitrary file or TCP connection openings that can be leveraged by an attacker. XML schema poisoning is another XML poisoning attack vector which can change execution flow. This vulnerability can help an attacker to compromise confidential information.

4. Testing for RSS/Atom Injection

This is a new WEB 2.0 attack. RSS feeds are common means of sharing information on portals and Web applications. These feeds are consumed by Web applications and sent to the browser on the client-side. One can inject literal JavaScripts into the RSS feeds to generate attacks on the client browser. An end user visits this particular Web site loads the page with the RSS feed and the malicious script – a script that can install software or steal cookies – gets executed. This is a lethal client-side attack. Worse, it can be mutated. With RSS and ATOM feeds becoming integral part of Web applications, it is important to filter out certain characters on the server-side before pushing the data out to the end user.

5. Testing for Information Integrity

Data integrity is one of the key elements of data security. Although a hack could lead to loss of integrity, so can unintentional misinformation. A great example of this in the public arena is a mistaken edit on Wikipedia which is then accepted as fact by many of the site’s visitors. In a business environment, having systems open to many users allows a malicious or mistaken user or users to post and publish inaccurate information which destroys the integrity of the data.

6. Testing for WSDL Scanning and Enumeration

WSDL (Web Services Definition Language) is an interface to Web services. This file provides key information about technologies, exposed methods, invocation patterns, etc. This is very sensitive information and can help in defining exploitation methods. Unnecessary functions or methods kept open can cause potential disaster for Web services. It is important to protect WSDL file or provide limited access to it. In real case scenarios, it is possible to discover several vulnerabilities using WSDL scanning.

7. Testing for CSRF

8. Testing for web services routing issues

Web services security protocols have WS-Routing services. WS-Routing allows SOAP messages to travel in specific sequence from various different nodes on the Internet. Often encrypted messages traverse these nodes. A compromise of any of the intermediate nodes results in possible access to the SOAP messages traveling between two end points. This can be a serious security breach for SOAP messages. As Web applications move to adopt the Web services framework, focus shifts to these new protocols and new attack vectors are generated.

9. Testing for Insufficient Anti Automation

Programmatic interfaces of Web 2.0 applications let hackers automate attacks easier. In addition to brute force and CSRF attacks, other examples include the automated retrieval of a large amount of information and the automated opening of accounts. Anti-automation mechanisms like Captchas can help slow down or thwart these types of attacks.

When introducing Web 2.0 into the workplace, it’s important to have a good understanding of the types of risks involved. However, that said, while Web 2.0 may present different types of challenges, those are not necessarily any worse than the risks involved with legacy applications – they’re just different. And the opportunities that Web 2.0 technology can provide a business make overcoming these potential threats worth the effort.

10. Testing for Parameter manipulation with SOAP

Web services consume information and variables from SOAP messages. It is possible to manipulate these variables. For example, “10” is one of the nodes in SOAP messages. An attacker can start manipulating this node and try different injections – SQL, LDAP, XPATH, command shell – and explore possible attack vectors to get a hold of internal machines. Incorrect or insufficient input validation in Web services code leaves the Web services application open to compromise. This is a new available attack vector to target Web applications running with Web services.

11. Testing for XPATH Injection in SOAP Messages

XPATH is a language for querying XML documents and is similar to SQL statements where we can supply certain information (parameters) and fetch rows from the database. XPATH parsing capabilities are supported by many languages. Web applications consume large XML documents and many times these applications take inputs from the end user and form XPATH statements. These sections of code are vulnerable to XPATH injection. If XPATH injection gets executed successfully, an attacker can bypass authentication mechanisms or cause the loss of confidential information. There are few known flaws in XPATH that can be leverage by an attacker. The only way to block this attack vector is by providing proper input validation before passing values to an XPATH statement.

12. Testing for RIA Thick Client Binary Manipulation

Rich Internet Applications (RIA) use very rich UI features such as Flash, ActiveX Controls or Applets as their primary interfaces to Web applications. There are a few security issues with this framework. One of the major issues is with session management since it is running in browser and sharing same session. At the same time since the entire binary component is downloaded to the client location, an attacker can reverse engineer the binary file and decompile the code. It is possible to patch these binaries and bypass some of the authentication logic contained in the code. This is another interesting attack vector for WEB 2.0 frameworks.

Tools Used:

Appscan

Acunetix

iViZ APT

OWASP Sprajx Tool

ScanAjax

Conclusion:

The most three important technological vectors for the WEB 2.0 application are AJAX, RIA and Web services. Despite the huge benefits afforded by Web 2.0; they do not come without a cost. To enable increased user interaction, integration APIs and web applications need to be more complex and they need to support an ever-increasing set of clients. With these new technologies come new security issues, and ignoring them can lead to big disasters for the corporate world. In this document, the discussion was restricted to only some common attacks but there are several other attack vectors as well. With the invent of Web 2.0 we also focuses on the security aspects associated with different components of Web 2.0. to grow security awareness, secure coding practices and secure deployments which offer the best defense against these new attack vectors.

Somnath has been working as an Information Security Consultant iViZ Techno Solutions,India and have successfully carried out countless assignments on vulnerability assessment, penetration testing, web application security, Threat modeling,PCI DSS Compliance for various Banking sector firms, financial institutions, Govt. organizations, Defense, Software development Companies, leading BPOs and various small-mid-large industries.He holds security certifications like OSCP and CNSM.

Related Posts with Thumbnails

Filed under Twitter · Tagged with , , , , , , , , , , , , , , , , , , , , , ,

Next Page »