Securing Ajax Applications: Ensuring the Safety of the Dynamic Web

Ajax and Other "Rich" Interface Technologies
Free download. Book file PDF easily for everyone and every device. You can download and read online Securing Ajax Applications: Ensuring the Safety of the Dynamic Web file PDF Book only if you are registered here. And also you can download or read online all Book PDF file that related with Securing Ajax Applications: Ensuring the Safety of the Dynamic Web book. Happy reading Securing Ajax Applications: Ensuring the Safety of the Dynamic Web Bookeveryone. Download file Free Book PDF Securing Ajax Applications: Ensuring the Safety of the Dynamic Web at Complete PDF Library. This Book have some digital formats such us :paperbook, ebook, kindle, epub, fb2 and another formats. Here is The CompletePDF Book Library. It's free to register here to get Book file PDF Securing Ajax Applications: Ensuring the Safety of the Dynamic Web Pocket Guide.

Fortunately for the network, HTTP compression of Ajax responses can reduce response size and is supported in all modern browsers. Because of dynamic compression's overhead, however, speed may not improve much if responses are indeed relatively small.

Securing Ajax Applications: Ensuring The Safety Of The Dynamic Web

This means that it would be wise for network administrators to turn on compression on their Web server, but they need to understand that with Ajax applications, their gains won't be as big as with traditional Web applications. To send data less often, we generally would employ caching. Most Ajax implementations can be openly hostile to caching, however, given certain assumptions made by browsers regarding not re-fetching URLs during the same session. Rather than work with caching, many Ajax developers will work aggressively to defeat caching via the header setting or URL uniqueness.

It is possible to address caching concerns with a client-side Ajax cache written in JavaScript, but most Ajax libraries do not implement such a feature. Network professionals should show developers the benefit of caching, because Ajax probably will benefit more from that than from compression. This is the way the HTTP protocol is designed, not some browser bug or limitation.

The good news is that it keeps many Ajax developers from swamping a server accidentally, though Microsoft's Internet Explorer 8 is supposed to go well beyond the limit. Chatty Ajax applications can be trouble, and with browsers changing the rules, network administrators need to keep a close eye on the number of requests made, and work with application developers to avoid employing such design patterns as fast polling or long-held connections.

The base unit, the HTML document, is received before other objects, and it then triggers the request. Any subsequent request triggers a whole new base document, thereby guaranteeing order. Ajax takes such implicit ordering away, however, so that an application dependent on proper sequencing requires a response queue.

AJAX Requests with Token Authentication

Ajax frameworks, however, are not consistent in acknowledging this network concern. So, again, make sure Ajax application developers understand such network-level concerns. For years, users have been correcting Web-delivery quality by reloading pages or pressing the Back button. Simply put, users doing this help mitigate network problems because errors occur generally at expected moments between page paints.

With Ajax, however, application failure is no longer that obvious. Worse yet, users often are misinformed about errors, because the simple, animated-GIF spinning circle provides little information about the true status of the request. Developers are at a loss because many libraries aren't effective at acknowledging that timeouts happen, retries must occur, and server and data errors crop up. JavaScript diagnostics showing communication and code errors are rarely in place on the client side, so blissful ignorance is the norm.

More application-level monitoring is required for administrators to support Ajax properly.

Securing Ajax Applications

If you listen to the pundits, Ajax may appear to produce more attack surface, but it really isn't any less secure than traditional Web-application development environments, because the HTTP inputs to the trusted server side are the same — headers, query string and message body. If implicitly trusting client-side code and entered data is not verboten already in your Web development group, however, Ajax may push things in that direction.

Cross-site scripting XSS isn't a vulnerability new with Ajax; it is just more common, especially if an application allows state data to be manipulated with JavaScript.

AJAX/JavaScript Support

A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server. Finally, many organizations deploy cloud-based WAF WAF-as-a-Service to intercept web traffic before it enters the network or reaches the server in the cloud. Question feed. At a minimum, a WAF today should be able to detect attacks designed to run JavaScript, respond to challenges, and mimic human and browser capabilities without overburdening the applications it protects. METs can. Stack Overflow works best with JavaScript enabled.

Distributed system using remote agents. Abundance of security checks Out of the box, Arachni has all the full featured support and vulnerability analysis that one would expect from a first class web application scanner. Detection of DOM-based vulnerabilities. Intelligent, on-the-fly adaptation to each web application Arachni analyzes each application resource individually, which in turn allows it to tailor each request to the technologies being used.

Mobile ready — in more ways than one Arachni can be configured to replicate multiple different client platforms including phones and tablets. High performance Scanners work with enormous amounts of workloads, often dealing with thousands of pages and performing millions of requests. Arachni wastes no time and minimizes any delay by utilizing: Asynchronous HTTP requests for lightweight concurrency and fast communications.

Even when distributed across multiple nodes. After all, the sooner you learn about issues, the sooner you can mitigate risks. Highly detailed, well-structured reports Reports can be generated in a number of open formats that allow you to consume all relevant information and context from a single file that is intuitively organised and well-structured.

All reports include an abundance of context for easy reproduction and verification of identified issues, such as: Affected page snapshots , including: DOM transitions , allowing for restoration of state. Data-flow sinks , displaying the flow of tainted arguments throughout the JavaScript environment. Execution-flow sinks , displaying execution points of injected JavaScript payloads.

Associated HTTP request and response.

Introduction

Referring page snapshots , for easy comparison of before and after states. Full JavaScript stack data for sinks, including: Stacktraces. Function names. Function argument signatures.

AJAX and JavaScript: The Technologies Explained

Function locations. Function source codes.

  • Securing Ajax applications - ensuring the safety of the dynamic web?
  • Mastering Red Hat Enterprise Linux 3;
  • Mathematics for Engineering Students: Plane and Solid Geometry;
  • Gods and Heroes of Ancient Greece (Pantheon Fairy Tale & Folklore Library.);
  • Watch what you wish for!

Function argument lists. It is important to remember that deficiencies in one layer may invalidate all the other efforts in the other layers. An attacker only needs one hole to compromise the application. Take care to review all of the following best practices to ensure a cohesive security approach.

It is always a recommended option to use DMZ bastion hosts or switched connections to target Web servers. This will prevent attackers who have compromised the Web server from penetrating deeper into the application. Use Stateful Firewalls.

Use a stateful firewall inspection to keep track of all Web-tier transmissions and protocol sessions. Make sure it blocks all unrequested protocol transmissions. This will help prevent Denial of Service DoS attacks and disallow malicious packets intended for back-end systems. Make sure the operating system that is running the Web and application server is hardened and does not run any unsolicited services that may provide an opening for an attacker to compromise.

Secure Administrative Communications. Make sure all administration tasks on the server are done using encrypted communication. Disable remote administration of Web and application servers using system-level and root administrator access. All remote administration needs to be carried out using secure-shell connections from trusted machines and disallow administrator access from untrusted machines.

Disallow Untrusted Services. Disable telnet, remote login services, and FTP connections to the server machines. These are commonly attacked services and represent a strong security risk. Check Web Server User Permissions. Disable CGI. This is another common source of attacks. Enforce Strong Passwords. Change all default passwords and use robust password mechanisms to avoid password-related vulnerabilities such as sniffing and replay attacks.

For all application-level administrators, use password ageing, account locking, and password-complexity verification. Using one-time password mechanisms, dynamic passwords that use challenge-response schemes, smart card- and certificate-based authentication, and multifactor authentication are reliable practices. Audit Administration Operations. Limit all Web administration access to the system to very few users. Monitor their account validity, log all their administration operations using encryption mechanisms, and make sure that system log files are written to a different machine that is secure from the rest of the network.

Check Third-Party IPs. All third-party supporting applications that are required to coexist with the Web and application servers have to be tested for their usage of IP and port addresses. Those applications must follow the maintained rules of the DMZ. Monitor Web Server Communications. Monitor all transmissions and Web-server requests and responses for suspicious activity and misuse. Use watchdog macros or daemons to monitor and trap these activities.

AJAX Vulnerabilities

When detection of such abuses occurs, make sure you check the integrity of the application afterward and notify the system security administrator. Setup IDS. Use intrusion detection systems to detect suspicious acts, abuses, and unsolicited system uses.