Ajax applications should be open yet secure. Far too often security is added as an afterthought. Potential flaws need to be identified and addressed right away. This book explores Ajax and web application security with an eye for dangerous gaps and offers ways that you can plug them before they become a problem. By making security part of the process from the start, you will learn how to build secure Ajax applications and discover how to respond quickly when attacks occur.Securing Ajax Applications succinctly explains that the same back-and-forth communications that make Ajax so responsive also gives invaders new opportunities to gather data, make creative new requests of your server, and interfere with the communications between you and your customers. This book presents basic security techniques and examines vulnerabilities with JavaScript, XML, JSON, Flash, and other technologies -- vital information that will ultimately save you time and money. Topics include:An overview of the evolving web platform, including APIs, feeds, web services and asynchronous messaging Web security basics, including common vulnerabilities, common cures, state management and session management How to secure web technologies, such as Ajax, JavaScript, Java applets, Active X controls, plug-ins, Flash and Flex How to protect your server, including front-line defense, dealing with application servers, PHP and scripting Vulnerabilities among web standards such as HTTP, XML, JSON, RSS, ATOM, REST, and XDOS How to secure web services, build secure APIs, and make open mashups secure Securing Ajax Applications takes on the challenges created by this new generation of web development, and demonstrates why web security isn't just for administrators and back-end programmers any more. It's also for web developers who accept the responsibility that comes with using the new wonders of the Web.
Author(s): Christopher Wells Exe
Edition: 1
Publisher: O'Reilly Media
Year: 2007
Language: English
Pages: 242
Securing Ajax Applications......Page 0
Table of Contents......Page 3
Audience......Page 5
Contents of This Book......Page 6
Using Code Examples......Page 7
Acknowledgments......Page 8
The Evolving Web......Page 10
Hypertext Transfer Protocol (HTTP)......Page 11
HTTP Transactions......Page 12
The response......Page 13
Safe methods......Page 14
HTTP Response......Page 15
3xx redirection codes......Page 16
4xx client error codes......Page 17
General headers......Page 18
Request headers......Page 19
Content headers......Page 20
HTML......Page 21
Mosaic and Netscape......Page 22
Java applets......Page 23
ActiveX......Page 24
The Dot-Com Bubble......Page 25
Apache......Page 26
Application servers......Page 27
Commercials for Internet companies......Page 28
Pop!......Page 29
The Hero, Ajax......Page 30
XMLHttpRequest life cycle......Page 31
What Is an API?......Page 34
Recreational developers......Page 35
CCPD......Page 36
For More Information......Page 37
Build Security In......Page 38
Objects......Page 39
Surface area......Page 40
Encryption......Page 41
Authentication......Page 42
Separation of duties......Page 43
Nonrepudiation......Page 44
Trust......Page 45
Entry points......Page 46
Think like an attacker......Page 47
Threat Profiling......Page 48
Common Web Application Vulnerabilities......Page 49
OWASP top 10......Page 50
Unvalidated Input......Page 51
Client-side validation......Page 52
Administration interfaces......Page 53
Login credentials......Page 54
Session management......Page 55
Cross-Site Scripting (XSS)......Page 56
Buffer Overflow......Page 57
Injection Flaws......Page 58
Improper Error Handling......Page 59
Insecure Storage......Page 60
Application Denial of Service......Page 61
Insecure Configuration Management......Page 62
Other Vulnerabilities......Page 63
For More Information......Page 64
How Web Sites Communicate......Page 65
Screen scraping......Page 66
Domain to Domain (Cross-Domain) Communications......Page 67
XML......Page 68
Web services......Page 69
STRIDE......Page 70
SSL/TLS transport encryption......Page 71
Encrypting data with symmetric encryption......Page 72
The browser’s same-origin policy......Page 74
Client-Side Data and Managing State......Page 75
HTML input fields......Page 77
Cookies and HTTP headers......Page 78
URL rewriting......Page 80
Protecting Data in Transit......Page 82
Session Management......Page 83
ActiveX......Page 85
Java Applets......Page 90
JavaScript......Page 92
XHTML/DOM Manipulation......Page 94
Flash......Page 97
ActionScript......Page 98
HTML and CSS......Page 100
Ajax......Page 102
Protecting data in transit......Page 103
Exception handling......Page 104
Protecting data in storage......Page 105
For More Information......Page 106
Protecting the Server......Page 108
Security concerns......Page 109
SSL proxies......Page 110
Separation of duties......Page 111
Automatic LAMP......Page 112
OS Hardening......Page 113
Accounts management......Page 114
Running services......Page 116
Facilities and priorities......Page 117
Syslog configuration file (/etc/syslog.conf)......Page 119
Windows......Page 121
APT......Page 122
Host Firewall......Page 123
Using iptables......Page 124
Intrusion Detection......Page 126
Network monitoring......Page 127
Incident Response......Page 128
Have a plan (disaster recovery plan)......Page 129
Web Server Hardening......Page 130
Apache HTTP Server......Page 131
mod_security......Page 132
Basic configuration......Page 133
Filters......Page 134
Lock down server......Page 135
Hardening guidelines......Page 136
Hardening guidelines......Page 137
For More Information......Page 138
A Weak Foundation......Page 139
Input Validation......Page 140
Authentication hijacking......Page 142
HTTP basic authentication......Page 143
Authorization......Page 144
Cross-Site Scripting (XSS)......Page 145
SQL injection......Page 146
HTTP response splitting......Page 147
DOM injection and JavaScript......Page 148
Cross-site Request Forgery (CSRF or XSRF)......Page 149
Buffer overflows......Page 150
Application denial of service......Page 151
JSON......Page 152
Validation and implementation......Page 153
Script/same origin policy......Page 154
Authentication and Authorization......Page 155
XML Denial of Service (XDOS)......Page 156
RSS......Page 157
Atom compared to RSS......Page 158
Signing Content......Page 159
REST web services characteristics......Page 161
Principles of REST web service design......Page 162
For More Information......Page 163
Securing Web Services......Page 164
Service Oriented Architecture (SOA)......Page 165
Ajax and Web Services......Page 166
Simple Object Access Protocol (SOAP)......Page 168
Anatomy of a SOAP message......Page 169
SOAP faults......Page 170
Universal Description Discovery and Integration (UDDI)......Page 172
Web Service Description Language (WSDL)......Page 173
Anatomy of a WSDL document......Page 174
Hooking up the Ajax......Page 175
Authentication......Page 176
Passing Credentials......Page 177
Confidentiality and Transport Layer Security......Page 178
XML digital signatures......Page 179
Don’t Forget It’s the Web......Page 180
Secure tokens and credentials......Page 181
For More Information......Page 182
Building Your Own APIs......Page 183
API Construction......Page 185
API Design......Page 187
Preconditions......Page 188
Building a Good API......Page 189
Authentication......Page 190
Content Validation and Authentication......Page 191
RESTful Web Services......Page 192
Who Is Using REST?......Page 193
How REST Web Services Work......Page 194
Communication choices......Page 195
Get word list......Page 196
Rate a word......Page 197
For More Information......Page 198
Mashups......Page 199
Web Applications and Open Internet APIs......Page 200
Wild Web 2.0......Page 201
Lack of Trust......Page 203
The Dark Side......Page 204
Lack of Security Standards......Page 207
Confidentiality......Page 208
Integrity......Page 209
Case Studies......Page 210
Authentication mechanisms......Page 211
The pulp......Page 212
Public911.com......Page 213
Authentication mechanisms......Page 214
Security concerns......Page 215
WeatherBonk.com......Page 216
Additional services......Page 217
HousingMaps.com......Page 218
Conclusion......Page 219
For More Information......Page 220
Index......Page 221
