Session Hijacking

Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

Detailed description

HTTP is stateless, so application designers had to develop a way to track the state between multiple connections from the same user, instead of requesting the user to authenticate upon each click in a Web application. A session is a series of interactions between two communication end points that occurs during the span of a single connection. When a user logs into an application a session is created on the server in order to maintain the state for other requests originating from the same user.

Applications use sessions to store parameters which are relevant to the user. The session is kept "alive" on the server as long as the user is logged on to the system. The session is destroyed when the user logs-out from the system or after a predefined period of inactivity. When the session is destroyed, the user's data should also be deleted from the allocated memory space.

A session ID is an identification string (usually a long, random, alpha-numeric string) that is transmitted between the client and the server. Session IDs are commonly stored in cookies, URLs and hidden fields of Web pages. A URL containing the session ID might look something like:

http://www.123somesite.com/view/7AD30725122120803

In an HTML page, a session ID may be stored as a hidden field:

Sometimes, cookies are set to expire (be deleted) upon closing the browser. These are termed "session cookies" or "non-persistent" cookies. Cookies that last beyond a user's session (i.e., "Remember Me" option) are termed "persistent" cookies. Persistent cookies are usually stored on the user's hard drive. Their location is determined according to the particular operating system and browser (e.g., C:\Documents and Settings\username\Cookies for Internet Explorer on Windows 2000).

There are several problems with session IDs. Many of the popular websites use algorithms based on easily predictable variables, such as time or IP address, in order to generate the Session IDs, causing their session IDs to be predictable. If encryption is not used (typically SSL), Session IDs are transmitted in the clear and are susceptible to eavesdropping.

Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's session while that session is still in progress. In most applications, after successfully hijacking a session, the attacker gains complete access to all of the user's data, and is permitted to perform operations instead of the user whose session was hijacked.

There are three primary techniques for hijacking sessions:

1. Brute force - the attacker tries multiple IDs until successful.
2. Calculate - in many cases, IDs are generated in a non-random manner and can be calculated.
3. Steal - using different types of techniques, the attacker can acquire the Session ID.

In brute force attacks, the attacker can try many IDs. For example, take a look at the following list of URLs, in which an attacker is trying to guess the session ID:

http://www.somesite.com/view/VW30422101518909
http://www.somesite.com/view/VW30422101520803
http://www.somesite.com/view/VW30422101522507

Session IDs can be stolen using a variety of techniques: sniffing network traffic, using trojans on client PCs, using the HTTP referrer header where the ID is stored in the query string parameters, and using cross-site scripting attacks.

In a "referrer" attack, the attacker entices a user to click on a link to another site (a hostile link, say www.hostile.com):

GET /index.html HTTP/1.0
Host: www.hostile.com
Referrer: www.mywebmail.com/viewmsg.asp?msgid=438933&SID=2343X32VA92

The browser sends the referrer URL containing the session ID to the attacker's site - www.hostile.com, and the attacker now has the session ID of the user.

Session IDs can also be stolen using script injections, such as cross-site scripting. The user executes a malicious script that redirects the private user's information to the attacker.

Mistakes made when developing with Ajax

Using Ajax for the sake of Ajax.

Sure Ajax is cool, and developers love to play with cool technology, but Ajax is a tool, not a toy. A lot of Ajax isn’t seriously needed to improve usability but rather experiments in what Ajax can do or trying to fit Ajax somewhere where it isn’t needed.

Breaking the back button

The back button is a great feature of the standard web site user interface. Unfortunately, the back button doesn’t mesh very well with Javascript. Keeping back button functionality is one reason not to go with a pure Javascript web app.

Keep in mind however that good web design provides the user with everything they would need to successfully navigate your site, and never relies on web browser controls.

Not giving immediate visual cues for clicking widgets

If something I’m clicking on is triggering Ajax actions, you have to give me a visual cue that something is going on. An example of this is GMail loading button that is in the top right. Whenever I do something in GMail, a little red box in the top right indicates that the page is loading, to make up for the fact that Ajax doesn’t trigger the normal web UI for new page loading.

Leaving offline people behind

As web applications push the boundaries further and further, it becomes more and more compelling to move all applications to the web. The provisioning is better, the world-wide access model is great, the maintenance and configuration is really cool, the user interface learning curve is short.

However, with this new breed of Ajax applications, people who have spotty internet connections or people who just don’t want to switch to the web need to be accomodated as well. Just because technology ‘advances’ doesn’t mean that people are ready and willing to go with it. Web application design should at least consider offline access. With GMail it’s POP, Backpackit has SMS integration. In the Enterprise, it’s web-services.
Don’t make me wait

With Firefox tabs, I can manage various waits at websites, and typically I only have to wait for a page navigation. With AJAX apps combined with poor network connectivity/bandwidth/latency I can have a really terrible time managing an interface, because every time I do something I have to wait for the server to return a response. However, remember that the ‘A’ in AJAX stands for ‘Asynchronous’, and the interaction can be designed so that the user is not prevented from continuing to work on the page while the earlier request is processed.

Sending sensitive information in the clear

The security of AJAX applications is subject to the same rules as any web application, except that once you can talk asynchronously to the server, you may tend to write code that is very chatty in a potentially insecure way. All traffic must be vetted to make sure security is not compromised.

Assuming AJAX development is single platform development.

Ajax development is multi-platform development. Ajax code will run on IE’s javascript engine, Spidermonkey (Mozilla’s js engine), Rhino (a Java js implementation, also from Mozilla), or other minor engines that may grow into major engines. So it’s not enough just to code to JavaScript standards, there needs to be real-world thorough testing as well. A major obstacle in any serious Javascript development is IE’s buggy JS implementation, although there are tools to help with IE JS development.

Forgetting that multiple people might be using the same application at the same time

In the case of developing an Intranet type web application, you have to remember that you might have more than one person using the application at once. If the data that is being displayed is dynamically stored in a database, make sure it doesn’t go “stale” on you.

Too much code makes the browser slow

Ajax introduces a way to make much more interesting javascript applications, unfortunately interesting often means more code running. More code running means more work for the browser, which means that for some javascript intensive websites, especially inefficiently coded ones, you need to have a powerful CPU to keep the functionality zippy. The CPU problem has actually been a limit on javascript functionality in the past, and just because computers have gotten faster doesn’t mean the problem has disappeared.

Not having a plan for those who do not enable or have JavaScript.

According to the W3 schools browser usage statistics, which if anything are skewed towards advanced browsers, 11% of all visitors don’t have JavaScript. So if your web application is wholly dependent on JavaScript, it would seem that you have potentially cut a tenth of your audience.

Blinking and changing parts of the page unexpectedly

The first A in Ajax stands for asynchronous. The problem with asynchronous messages is that they can be quite confusing when they pop in unexpectedly. Asynchronous page changes should only ever occur in narrowly defined places and should be used judiciously, flashing and blinking in messages in areas I don’t want to concentrate on harkens back to days of the html blink tag. “Yellow Fade”, “One Second Spotlight” and other similar techniques are used to indicate page changes unobtrusively.

Not using links I can pass to friends or bookmark

Another great feature of websites is that I can pass URLs to other people and they can see the same thing that I’m seeing. I can also bookmark an index into my site navigation and come back to it later. Javascript, and thus Ajax applications, can cause huge problems for this model of use. Since the Javascript is dynamically generating the page instead of the server, the URL is cut out of the loop and can no longer be used as an index into navigation. This is a very unfortunate feature to lose, many Ajax webapps thoughtfully include specially constructed permalinks for this exact reason.

Blocking Spidering

Ajax applications that load large amounts of text without a reload can cause a big problem for search engines. This goes back to the URL problem. If users can come in through search engines, the text of the application needs to be somewhat static so that the spiders can read it.

Asynchronously performing batch operations

Sure with Ajax you can make edits to a lot of form fields happen immediately, but that can cause a lot of problems. For example if I check off a lot of check boxes that are each sent asynchronously to the server, I lose my ability to keep track of the overall state of checkbox changes and the flood of checkbox change indications will be annoying and disconcerting.

Scrolling the page and making me lose my place

Another problem with popping text into a running page is that it can effect the page scroll. I may be happily reading an article or paging through a long list, and an asynchronous javascript request will decide to cut out a paragraph way above where I’m reading, cutting my reading flow off. This is obviously annoying and it wastes my time trying to figure out my place. But then again, that would be a very stupid way to program a page, with or without AJAX.

Inventing new UI conventions

A major mistake that is easy to make with Ajax is: ‘click on this non obvious thing to drive this other non obvious result’. Sure, users who use an application for a while may learn that if you click and hold down the mouse on this div that you can then drag it and permanently move it to this other place, but since that’s it’s not in the common user experience, you increase the time and difficulty of learning the application, which is a major negative for any application. On the plus side, intuitiveness is a function of learning, and AJAX is popularising many new conventions which will become intuitive as time goes by. The net result will be greater productivity once the industry gets over the intuitiveness hump.

Character Sets

One big problem with using AJAX is the lack of support for character sets. You should always set the content character set on the server-side as well as encoding any data sent by Javascript. Use ISO-8859-1 if you use plain english, or UTF-8 if you use special characters, like æ, ø and å (danish special characters) Note: it is usually a good idea to go with utf-8 nowadays as it supports many languages).

Changing state with links (GET requests)

The majority of Ajax applications tend to just use the GET method when working with AJAX. However, the W3C standards state that GET should only be used for retrieving data, and POST should only be used for setting data. Although there might be no noticable difference to the end user, these standards should still be followed to avoid problems with robots or programs such as Google Web Accelerator.

Not cascading local changes to other parts of the page

Since Ajax/Javascript gives you such specific control over page content, it’s easy to get too focused on a single area of content and miss the overall integrated picture. An example of this is the Backpackit title. If you change a Backpackit page title, they immediately replace the title, they even remember to replace the title on the right, but they don’t replace the head title tag with the new page title. With Ajax you have to think about the whole picture even with localized changes.

Problem reporting

In a traditional server-side application, you have visibility into every exception, you can log all interesting events and benchmarks, and you can even record and view (if you wish) the actual HTML that the browser is rendering. With client-side applications, you may have no idea that something has gone wrong if you don’t know how to code correctly and log exceptions from the remotely called pages to your database.

Return on Investment

Sometimes AJAX can impressively improve the usability of an application (a great example is the star-rating feedback on Netflix), but more often you see examples of expensive rich-client applications that were no better than the plain HTML versions.

Mimicing browser page navigation behavior imperfectly

One example of this is blinklist Ajax paging mechanism on the front page. As you click to see another page of links, ajax fills in the next page. Except that if you are used to a browser experience, you probably expect to go to the top of the page when you hit next page, something JavaScript driven page navigation doesn’t do. BlinkList actually anticipates this and tries to counteract by manipulating your scrolling to scroll upwards until you hit the top. Except this can be slow and if you try scrolling down you will fight the upwards scrolling JavaScript and it won’t let you scroll down. But then again, that is very stupid way to program a page, with or without AJAX.

Another Tool

It seems everyone has forgotten that Ajax is just another tool in the toolbox for Web Design. You can use it or not and misuse it or not. The old 80/20 rule always applies to applications (if you cover 80% of what all users want/need then you have a viable app) and if you lose 11% of your audience because they don’t switch on their javascript then you have to ask yourself if changing your app is worth capturing that 11% or stick with 89% that are currently using it and move on to something else. Also web apps should take advantage of all tricks to enable them to function quickly and efficiently. If that means using javascript for some part, Ajax for another and ASP callbacks for a third, so be it.

Preventing Cached AJAX Requests

As a developer, you’re probably well aware of all the issues that commonly occur due to cached data. AJAX is not unique when it comes to these issues; in fact, this problem is fairly common. Luckily, there are workarounds, one of which involves JavaScript’s Date object. If you haven’t used this approach for other caching issues, you’ll be pleasantly surprised at how easy it is to implement.

When making a standard HTTP request, the browser caches the web pages that we visit. Query strings are one way to work around this behavior. Therefore, we could easily use a query to our advantage by adding a simple query at the end of an AJAX request. But this will solve only half of the problem—if the query is the same each time, the data can still be cached. Therefore, we need to create a unique query each time a request is made. There are many ways to handle this need, but the one that makes the most sense in this situation is to use time to our advantage—because time is always changing.

The example in Listing 1 takes a uri parameter that will be used to make the request. Once we create the appropriate request object, we then create an instance of the Date object that will be used to create the next variable, called uniqueURI. The uniqueURI starts with the uri parameter; then we use a condition that checks for the index of a question mark, which would symbolize an existing query string. If the query string exists, we simply append an ampersand to the query; otherwise, we append the question mark. For either condition, the uri is followed by a key/value pair of "timestamp=" plus the current time from the Date object. Once we have the uniqueURI, we’re ready to finish making the request.

Creating a Unique URI




function xmlLoader(uri)
{
var request;
if(window.XMLHttpRequest)
{
request = new XMLHttpRequest();
}
else if(window.ActiveXObject)
{
request = new ActiveXObject("MSXML2.XMLHTTP");
}
var timestamp = new Date();
var uniqueURI = uri+ (uri.indexOf("?") > 0 ? "&" : "?")+ "timestamp="+ timestamp.getTime();
request.onreadystatechange = callbackMethod;
request.open("GET", uniqueURI, true);
request.send(null);
}




The uniqueURI variable is all it takes to avoid cached requests with AJAX.

Top 100 Web 2.0 Sites

Here you are version 2.0 of the top 100 web 2.0 sites

thanks for your comments. By commenting on this post you will help enhancing the listing and ordering .

Video

1. YouTube: YouTube is a popular free video sharing Web site which lets users upload, view, and share video clips.

2. Meta Cafe: Metacafe - Get the best internet videos - Funny videos, Amazing clips, Rare movies

3. Vimeo: Share your video clips. Upload video that you shoot with your digital camera, mobile phone, or camcorder. Share video by linking to Vimeo.

4. Daily Motion Publish, tag, organize and share your video clips.

5. Imeem: imeem is a social media service where users interact with each other by watching, posting, and sharing content of all media types, including blogs, photos, audio, and video. In one sense, imeem is a media-centric social network service, and in another sense, it is also a user participation service for online content.

6. ClipShack: ClipShack is a community for videophiles; a destination where people can post their video for general public viewing and comment, share clips with friends and family, post video to blogs, share...

7. vSocial: The fastest, easiest way to upload, watch and share your favorite video clips.

8. Jumpcut: The best place to create, remix and share movies and slideshows online. There's nothing else like it. Jumpcut Makes Movies, Simple.

9. Video Bomb: Video Bomb filters up the hottest videos on the internet: people submit links to the 'Incoming!' page and you bomb the best ones. If a video gets a lot of bombs quickly, it makes it to the front...

10. eyeSpot: Shoot, Mix, and Share your Video. Use the eyespot Mixer to edit and combine your videos, music and photos online! Share your video and mixes with the world for Free

11. revver : Upload, share videos

12. Avidbeauty: Avid Beauty is an entertainment community for iPod users. We offer iPod downloads which are available in playlists known as Podcasts. We also offer Flickr photo, YouTube video and LiveJournal integration into your member profile.

Music

1. last.fm: Generate custom streaming music stations with Last.fm by searching for and tagging your favorite artists. Build your own library and search the libraries of others to find who likes the same music as you

2. Musicovery: Discover new music based on your mood, this free webradio let you browse music styles and epochs

3. read.io :Read.io converts RSS feeds into podcasts via TextToSpeech. Many languages supported.

4. MusicStrands: Search MusicStrands to discover new music. Listen to samples, then tag good tracks and exile the ones you don't like to get clear recommendations, either on site or with an optional iTunes plugin. Then purchase music from a variety of vendors.

5. PODZINGER: PODZINGER - the world's premiere audio and video search engine

6. Upto11: Using tags and rankings, Upto11 suggests new music for you. Create and share your recommendations, tags, and playlists via a personal user page.

7. Pandora: Pandora is the music discovery service that helps you find new music based on your old and current favorites

Chat

1. Meebo: meebo, the web messenger that lets you access IM from absolutely anywhere. meebo supports msn, yahoo, aol/aim, google talk (gtalk), jabber and icq

2. Joopz: Allows users to send text messages from the Web to both individuals and groups, while enabling recipients to respond directly to the originating PC or Mac. Joopz web texts can be sent from any web-enabled device worldwide to any U.S. or Canadian mobile phone.

3. campfire: Simple, Web-based group chat for businesses, Campfire allows real-time sharing, editing, and collaboration for team members in a secure, password-protected chat.

4. Goowy: is a web based application offering free web and flash email service that enables you instant messaging, email, chat and much more

5. Gizmo: Gizmo Project uses your internet connection (broadband or dial-up) to make calls to other computers. With the click of a mouse, you’re connected to friends, family, and colleagues anywhere on earth. It’s just that simple. You talk clearly. For as long as you want. For free.

6. eBuddy: web based messaging for everyone, everywhere. e-Messenger is a web application that enables you to chat with your MSN, AOL and Yahoo buddies without having to install any program or Java applet.

7. e-messenger: Online messaging from eBuddy is a web messenger application which supports MSN, Yahoo and AIM (AOL). When your school or office has blocked IM you can use the web version of eBuddy with any standard JavaScript enabled browser, even behind a firewall.

8. ILOVEIM: eBuddy is a web messenger application which supports MSN, Yahoo and AIM (AOL). When your school or office has blocked IM you can use the web version of eBuddy with any standard JavaScript enabled browser, even behind a firewall.

Images & Photos

1. Flickr: The best way to stor, search, sort and share your photos

2. Zooomr:Universally the best way to share, search, store and sort your photos online.

3. Slide:

4. zoto

5. 23HQ:Are your photos stuck on your hard drive, instead of being shared with the people who matter to you?

6. Mybloop: MyBloop - sharing pictures, audio, and video for free, whithout storage limits and additional software to install

Blogs

1. Blogger: your easy-to-use web site, where you can quickly post thoughts, interact with people, and more

2. Weblogs, Inc: Creating trade weblogs across niche industries in which user participation is an essential component of the resulting product.

3. BlogCode: BlogCode.com is a fast, easy and intuitive source of blog recommendations based on the StoryCode.com model. It allows you to start with your favourite weblog (or perhaps even your own) and find...

4. blo.gs: lets you keep an eye on your favorite weblogs via the web and email. you can even put the list on your site: a blogroll that knows what is new!

5. BlogLines: a FREE online service for searching, subscribing, creating and sharing news feeds, blogs and rich web content.

Bookmarking

1. Digg: Digg is all about user powered content. Everything is submitted and voted on by the digg community. Share, discover, bookmark, and promote stuff that's important to you!

2. del.icio.us: A social bookmarks manager. Using bookmarklets, you can add bookmarks to your list and categorize them

3. Reddit: Reddit is a source for what's new and popular online. reddit learns what you like as you vote on existing links or submit your own!

4. StumbleUpon: StumbleUpon uses thumbs up and down ratings to form collaborative opinions on website quality. When you stumble, you will only see pages which friends and like–minded stumblers have liked

5. Blinklist: Real people with shared interests list the websites they care about. Rate sites you like or save them for later.

6. Blummy: A free tool for quick access to your favorite web services via your bookmark toolbar, Blummy lets you add and customize widgets that do practically anything: add pictures to Flickr, submit sites to del.icio.us, look up text in WIkipedia. Choose from hundreds of custom "blummlets" or create your own.

7. Techcrunch: TechCrunch is a blog about Web 2.0 products & companies, many of the posts written by Michael Arrington. The blog's first post was on June 11, 2005

8. Furl: Make your favorite web bookmarks accessible from anywhere with Furl's lightweight bookmarklet. Furl allows you to easily save, take notes on and share the links you've stored, or browse others' most popular bookmarks to find new and interesting things.

9. Spurl: Never lose track of a web site again with Spurl's free on-line bookmarking service and search engine. Spurl stores addresses quickly for easy access with a one-click bookmarklet and provides recommendations for new content based on your preferences

10. Trailfire: Bookmaking sharing software.

VOIP

1. Jajah: jah is a VoIP (Voice over IP) provider, founded by Austrians Roman Scharf and Daniel Mattes in 2005[1]. The Jajah headquarters are located in Mountain View, CA, USA, and Luxembourg. Jajah maintains a development centre in Israel.

2. skype: It’s free to download and free to call other people on Skype. Skype the number one voice over ip software

3. Private Phone: a free local phone number with voicemail and messages you can check online or from any phone.
   

Games & Sketching

1. Trendio: Trendio.com is an online prediction market. Users, instead of buying stock in companies with real money, buy stock in certain news subjects with fake money. Words available include those from the world of politics, sport, and entertainment. The more the word appears in the news, the higher the value of the stock. Currently, the site uses about 3,000 online internet sources to gauge the value of each word.

2. GameSnips: online games list, digg style. voting for each game, sort lists by latest or by votes

3. Pictaps: Roxik Pictaps - Draw a Character and Watch It Dance in 3D

4. Broadcast Game: The objective of the Broadcast game is to connect all of the terminals and cables on the grid to the central hub by fixing their orientations. All you need to do is click and rotate the cables, the terminals, or the hub.

5. Pikipimp.com : Ever wanted to add bling to your iomages? Pikpimp is a relly cool ajax application that allows you to drop and drag objects on your image. Save the image and add to your site!

6. Mainada: How aobut Comic Sketch (thanks Tiago)
   

Wikis

1. Wikipedia: The biggest multilingual free-content encyclopedia on the Internet. Over two million articles and still growing.

2. LittleWiki: LittleWiki is a Web site where you can create public and private wiki pages. A Wiki is a Web site where anyone can enter and edit content. That means you can post and edit information about virtually anything you wish, and you can read what others have posted too.

3. Wetpaint: Wetpaint powers websites that tap the power of collaborative thinking. The heart of the Wetpaint advantage is its ability to allow anyone — especially those without technical skill — to create and contribute to websites written for and by those who share a passion or interest. To do this, Wetpaint combines the best aspects of wikis, blogs, forums and social networks so anyone can click and type on the web.

4. JotSpot: Create and share wiki pages with a WYSIWYG editor via Jotspot's secure wiki hosting. Install various "applications" to refine your wiki content - project manager, company directory, blog, forum, poll, calendar, and more - then invite others to contribute

5. PBWiki: Make a free, password protected wiki as easily as a peanut butter sandwich. Easily upload HTML, link files to your pages, integrate RSS, and more.
   

Office Tools

1. Zoho Office Suite: Online Word Processor

2. Google Docs & Spreadsheets: With Google Docs & Spreadsheets, you can: * Use our online editor to format documents, spell-check and more. * Upload Word documents, OpenOffice, RTF, HTML or text. * Download...

3. Num Sum: Easy, Sharable Web Spreadsheets

4. Dictinary : Online dictionary

5. notifyr.org: Be ahead of the rest with notifyr.org. Notifyr is an easy to use tool which lets anybody easily receive instant updates on any web page around the world. Notifyr.org is ideal for those who want instant information on new stock, or new product release information. Best of all it's free - and always will be

6. ThinkFree Office: Have you ever wanted to edit an Excel spreadsheet on a Linux system? Have you ever wanted to show your colleagues a presentation on a computer not equipped with Powerpoint? Would you like to be able...

7. Numly: Numly is a web 2.0 startup offering next generation copyright and DRM licensing services for all things digital.

8. gOffice: Free online word processor, outpput can be pdf or html letters, allows personalization in letter templates..

RSS

1. FeedBurner: FeedBurner helps bloggers, podcasters and commercial publishers get more value from the content they create. Our advanced feed management technology deftly delivers subscription services for...

2. Feed Digest: Feed Digest is a parser, regenerator, and syndicator for, and of, RSS and Atom feeds. It lets you do things like put the content of RSS or Atom feeds on your own site(s).

3. Attensa: Attensa, Inc. is a venture backed software company developing RSS readers, online RSS aggregators, enterprise RSS servers and RSS infrastructure software that automatically and intelligently delivers...

4. Tiny Tiny RSS: Tiny Tiny RSS is a web-based news feed aggregator, designed to allow you to read news from any location, while feeling as close to a real desktop application as possible.

5. Feed43: This free online service converts any web page to an RSS feed on the fly.

6. Feed Mailer: feeds direct to your email. (thanks John)

Emails

1. Gmail: Gmail is an experiment in a new kind of webmail, built on the idea that you should never have to delete mail and you should always be able to find the message you want.

2. 30 Gigs: 30Gigs.com is invite-only web-based email that offers, you guessed it, 30 gigabytes of space.

3. Zookoda: is an email marketing application designed specifically for bloggers. Zookoda enables you to send a daily, weekly or monthly summary of your latest blog posts directly into your visitors inbox.

4. Sprout: osted email management for your sales and support email. No IT department required. Mailroom can organize your email and suggest replies to save you time and keep you better in touch with your customers. There is nothing to setup and it takes only a minute to get started

5. Gawab: Offers a web mail service with a number of features. Supports POP/SMTP.
   

News

1. NewsGator: Read all of your favorite news, websites and blogs all in one place.

2. newsvine.com: Keep track of breaking news with Newsvine: read "The Wire" for a direct stream of articles from the AP and ESPN, and read "The Vine" for Newsvine user submitted content and columns. Interact with other Newsvine readers by voting for and commenting on news, and write/maintain your own Newsvine column.

3. Gabbr :Gabbr is a community-based social news and blogging network which allows users to save and share their favorite top news headlines and blog posts.

4. wired: News site and magazine, covering technology, culture, business and politics.

5. Clipmarks: Bite-size hiligh-lights on the web.

File Sharing

1. Box.Net: Free online file storage and sharing from Box.net! Our internet storage service enables you to save, browse, share, & retrieve files, photos, and documents ...

2. AllPeers:Unleash your online experience and discover unlimited private sharing. Share private photos worry-free. No passwords to remember, no public access. Share your videos without uploading - save on hosting costs while saving time.No cumbersome interface. No sharing restriction. Private and secure. No spyware, no adware, no annoying advertisements.

3. MailBigFile internet application for file sharing

Others

1. Live: Microsoft web 2.0 portal

2. LinkedIn: is like Facebook for business professionals: Build yourself a business network to give you credibility in job searches and hiring, or use LinkedIn to reconnect or keep in touch with important business connections.

3. BaseCamp: Simple project management with to-do lists, milestones, time tracking, file sharing, calendars, and more. Basecamp is a solution for taking charge of communication, collaboration, and organization for projects big and small.

4. Side Job Track: A job tracking application for independent contractors, Sidejobtrack creates and manages invoices for goods, services, and time, then produces monetary reports to track payments and income.

5. Kayak.com searches hundreds of travel sites to give you the widest possible choice of flights and prices. It costs nothing to search and not a cent to book because we're not a travel agency.

6. TravBuddy is a site for people who love to explore. You don't have to be traveling across the world to use this site. Maybe you just want to share advice about a local restaurant you enjoy, or perhaps last weekend you discovered an amazing new place to watch the sunset, right in your hometown. Whether you are exploring at home or exploring abroad, the art and joy of discovery is still the same. Something that is familiar to you might be amazing and new to someone who is visiting.

7. Wayfaring is an interesting new site that lets you tag and create your own routes and places on Google maps

8. Omnidrive: As the world's first complete storage aggregator, Omnidrive allows you to bring all your files and content together from your desktop, devices and the web onto a single space that's easily accessible from any platform.

9. ma.gnolia: Build your web site and build community online

10. Ajaxian: Ajax related blog

11. Web 2.0 Sites: web 2.0 sites directory, for all web 2.0 related services.