In AJAX applications we have noticed an equally significant growth in security flaws, with the potential to turn AJAX-enabled sites into a time bomb.
Tutorial Details:
The Benefits of AJAX
In the good old days of "Web Applications", things were simpler. You filled in a form, you pressed "Submit", the screen cleared, and after a short wait you'd move onto the next page. Today things are different - users demand a Web experience which is smoother, faster, and preferably as intuitive as any desktop application.
AJAX, often in conjunction with DHTML (Dynamic HTML), fulfils that need by allowing the JavaScript code within a web page to communicate seamlessly "behind the scenes" with the web server.
How AJAX Works
The intricacies of AJAX are beyond the scope of this document, however the principle is this. JavaScript code on your web page is able to connect to your web server independently of the user. The backbone is JavaScript's XMLHttpRequest object which can be triggered by events such as user keystrokes or a timer and set to operate in the background or asynchronously (hence the term Asynchronous JavaScript and XML).
It is worth noting that the XML part is a little misleading - it comes from the name of the JavaScript object, and whilst many AJAX style applications make use of XML, the object can be used to make a request for just about anything from the Server.
Summary
There is no doubt that AJAX and AJAX-style technologies are the way forward for web design. Developers can create true "applications" on the web like never before - however care needs to be taken with AJAX, in order to keep web sites secure.
One of the biggest threats, however, comes from the increase in complexity of Client Side scripting accompanied by the potential increase in the number of Server Side scripts used to make AJAX work. These scripts are "hidden from view" by the technology, making testing less intuitive - whilst at the same time the adoption of this new technology appears to make quite sane web developers forget the basics of good coding. Issues such as Access Control and Input Validation don't go away - they just multiply and become interwoven.
The AJAX "Top 5" security tips:
To succeed - you must start with good planning. Efforts should be focussed on reducing and simplifying the AJAX calls, and creating a standard format for responses that follows convention (ideally XML) where possible.
Follow best practice from sites such as the Open Web Application Security Project. This especially includes checking for Access Control and Input Validation flaws, whilst ensuring sensitive information travels over SSL rather than in the clear.
Never assume that Server Side AJAX checks for Access Control or User Input Validation will replace the need for final re-checking at the Server. Adding AJAX controls will never reduce your validation workload, they will only increase it.
Never assume that Client Side obfuscation (making the JavaScript difficult to read or decode) will protect your most important commercial secrets. Using JavaScript is a poor way to hide programming tricks and advances from your competitors.
Finally, you must be prepared to exercise a tight reign over your development team. Wonderful ideas using AJAX may sound compelling, but you should consider saving them for version 2, whilst you focus on building a rock-solid version 1.
Read
Tutorial at: Click here to view the tutorial
Rate Tutorial: AJAX Security
View Tutorial: AJAX Security
Related
Tutorials:
 Building a bigger sandbox -
JavaWorld -
August 1998
Building a bigger sandbox -
JavaWorld -
August 1998
|
Create forward-compatible beans in EJB,
Part 2 - JavaWorld January
2000
Create forward-compatible beans in EJB,
Part 2 - JavaWorld January
2000
|
Java security evolution
and concepts, Part 1: Security nuts and bolts - JavaWorld April
2000
Java security evolution
and concepts, Part 1: Security nuts and bolts - JavaWorld April
2000
|
Programming restrictions on EJB - JavaWorld August 2000
Programming restrictions on EJB - JavaWorld August 2000
|
Java security evolution
and concepts, Part 3: Applet security
- JavaWorld
December 2000
Java security evolution
and concepts, Part 3: Applet security
- JavaWorld
December 2000
|
Secure your
Java apps from end to end, Part 1 - JavaWorld June 2001
Secure your
Java apps from end to end, Part 1 - JavaWorld June 2001
|
Integrate security infrastructures with JBossSX
Integrate security infrastructures with JBossSX
|
Java security evolution
and concepts, Part 2
Java security evolution
and concepts, Part 2
|
Java security evolution
and concepts, Part 4
Java security evolution
and concepts, Part 4
|
Java security evolution
and concepts, Part 5
Java security evolution
and concepts, Part 5
|
Customized EJB
security in JBoss
Customized EJB
security in JBoss
|
All that JAAS
All that JAAS
|
Secure Web
services
Secure Web
services
|
Jini Starter Kit 2.0 tightens Jini's security framework
Jini Starter Kit 2.0 tightens Jini's security framework
|
Java and Security, Part 1
Java and Security
WebLogic provides a comprehensive suite of security services that can be used to protect all aspects of a domain and its deployments. These security services affect all aspects of your domain: from the lowest level provided by the Jav
|
Java and Security, Part 2
Java and Security
The Providers
Now we\'ll take a closer look at the different SSPIs that constitute a security realm. We\'ll learn about WebLogic\'s default implementation of these security providers and how to configure them. The default implementat
|
J2EE security: Container versus custom
Choose the appropriate type of security for your application
Summary
This article covers the factors to consider when choosing between custom J2Esecurity and E standard security, also known as container security. It briefly covers how each type of secu
|
Using SSL with Non-Blocking IO
Using SSL with Non-Blocking IO
After the initial experiments with Java NIO, most developers start wondering about security; in particular, how to use SSL with Java NIO. With the traditional blocking sockets API, security is a simple issue: just set up an
|
JavaTM Secure Socket Extension (JSSE)
The JavaTM Secure Socket Extension (JSSE) is a Java package that enables secure Internet communications. It implements a Java version of SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols and includes functionality for data encryption
|
Using Identity Management to Achieve Security and Compliance: White Paper (pdf)
As described in this white paper, identity management can play a significant role in enabling organizations to meet demands for security and compliance.
|
|
|
|
