YOUR FEEDBACK
iPhone 3G and the Things I will Need From My New iPhone
Alex wrote: Joke of an article. First of all it is ILLEGAL and more import...
Jul. 6, 2008 12:41 PM
Did you read today's front page stories & breaking news?


2007 West
GOLD SPONSORS:
Active Endpoints
Your SOA Needs BPEL for Orchestration
BEA
Virtualized SOA: Adaptive Infrastructure for Demanding Applications
Nexaweb
Overcoming Bandwidth Challenges with Nexaweb
TIBCO
What is Service Virtualization?
SILVER SPONSORS:
WSO2
Using Web Services Technologies and FOSS Solutions
Click For 2007 East
Event Webcasts

2008 East
PLATINUM SPONSORS:
Appcelerator
Think Fast: Accelerate AJAX Development with Appcelerator
GOLD SPONSORS:
DreamFace Interactive
The Ultimate Framework for Creating Personalized Web 2.0 Mashups
ICEsoft
AJAX and Social Computing for the Enterprise
Kaazing
Enterprise Comet: Real–Time, Real–Time, or Real–Time Web 2.0?
Nexaweb
Now Playing: Desktop Apps in the Browser!
Sun
jMaki as an AJAX Mashup Framework
POWER PANELS:
The Business Value
of RIAs
What Lies Beyond AJAX?
KEYNOTES:
Douglas Crockford
Can We Fix the Web?
Anthony Franco
2008: The Year of the RIA
Click For 2007 Event Webcasts
SYS-CON.TV
SYS-CON.TV: How Do You Minimize Unpleasant Surprises in Your Java Code? Guest Nigel Cheshire
TOP THREE LINKS YOU MUST CLICK ON


AJAXWorld News Desk
AJAX Book Recommendation: "Ajax Security" by Hoffman and Sullivan
If you call yourself a professional web developer, you need this book

By: Brian J. Dillard
Feb. 2, 2008 06:00 AM
Digg This!

Page 2 of 2   « previous page

Web aggregators and SSL

This is probably a great big "duh" to some developers, but web aggregators such as iGoogle and NetVibes often compromise the security of otherwise SSL-encrypted web applications when funneling content from them to your personalized homepage:

Now, consider what happens when you use a Gmail widget on an aggregate site like NetVibes. Sharp-eyed readers will notice the URL for NetVibes ... is http://www.netvibes.com. This is not an encrypted connection! NetVibes sends user data in the clear from the aggregate to the user.... NetVibes makes an SSL connection to Gmail, and then NetVibes degrades the level of security by transmitting the data over an unencrypted connection. Our attacker ... can steal the data much more easily now. NetVibes is not providing the same level of security that a user would receive if he accessed Gmail directly. This situation is not unique to NetVibes and Gmail.... At the time of publication, every major aggregate Web site the authors examined downgraded security on data from secure sources. [emphasis theirs]

Offline applications and client-side validation

Security experts, including Hoffman and Sullivan, have long trumpeted the danger of relying on client-side input validation without parallel server-side validation. But with offline applications, they argue, client-side validation becomes absolutely necessary:

[O]ffline Ajax frameworks increase the client's role in business logic. In fact, offline Ajax applications strive to make the concept of online or offline completely transparent to the user.... [T]his means the user is interacting with client-side code, which stores everything the user is doing and synchronizes the data with the Web server when the client connects to the Internet. If no client-side input validation occurs, then the client-side logic is vulnerable to all kinds of parameter manipulation attacks.... Ajax applications already push more of a Web application to the client, and offline Ajax applications do push even more logic to the client. Just as we perform whitelist input validation on the server for security purposes, developers must perform client-side validation to ensure the security of their offline Ajax applications.

Ajax frameworks and function clobbering

When an attacker gains access to a web server and appends JavaScript code to a running Ajax application, it's much easier to inflict damage on apps that employ well-known JavaScript frameworks:

[T]his works with any framework and almost any JavaScript function.... Consider Dojo.Storage, which provides an abstraction layer to the various mechanisms for client-side storage.... Ironically, most of the functions to access client-side storage methods cannot be hooked because of how they are implemented. We cannot, for example, clobber the ActionScript functions exposed by a Flash object from browsers that we can clobber. Thus we cannot hook read and writes on the document.cookie object (at least we can't for all browsers). However, by hijacking the abstraction function in Dojo.Storage, attackers can intercept all data as it moves in and out of client-side storage, regardless of where the data is actually stored on the client. Essentially, certain browser functionality cannot be shimmed directly for all browsers, but frameworks that abstract this functionality can, themselves, be shimmed, accomplishing the same thing. Even worse ... shim code that hijacks frameworks isn't Web site or domain specific. The same playload can be used against multiple Web sites.

The book itself, of course, documents dozens more specific security vulnerabilities - as well as best practices for protecting your application against them. As my effusive praise should have made clear by now, I can't recommend "Ajax Security" highly enough. It's available from Amazon and Safari Books Online.

Article contents adapted from entries in the Agile Ajax blog. Copyright © 2008 Pathfinder Development.

All-New at AJAXWorld 2008 East at The Roosevelt Hotel in midtown Manhattan !

All-New at AJAXWorld 2008 East at The Roosevelt Hotel in midtown Manhattan !

Being held for the first time on March 18, 2008 at the historic Roosevelt Hotel in New York City, AJAXWorld Security Bootcamp is a compelling, intensive, one-day, hands-on training program that will teach Web developers, Web designers, and other Web professionals how to build secure AJAX applications and demonstrate what the best practices are to mitigate security problems in AJAX apps.

It is led by one of the world's foremost AJAX security experts and popular teachers, Billy Hoffman.

Click Here to Register Now and Save!

When:  Monday, March 18, 2008: 8:30AM-5:30PM 

Where:  The Roosevelt Hotel on 45th and Madiscon, New York City

Who:  AJAX Security Bootcamp is led by:

Billy Hoffman is a lead security researcher for SPI Dynamics (www.spidynamics.com), which was purchased by Hewlett-Packard on 01 August 2007. At SPI Dynamics, he focuses on automated discovery of Web application vulnerabilities and crawling technologies. He has been a guest speaker at Black Hat Federal, Toorcon, Shmoocon, O'Reilly's Emerging Technology Conference, The 5th Hope, and several other conferences. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. He also spends his time contributing to OSS projects and writes articles under the handle Acidus.


Billy was a featured speaker at AJAXWorld Conference & Expo 2007 West.

Join Billy and your fellow Bootcamp delegates at the AJAXWorld Security Bootcamp on March 18. We'll see you in New York City...

Click Here to Register Now and Save!


Page 2 of 2   « previous page

Published Feb. 2, 2008 — Reads 9,334
Copyright © 2008 SYS-CON Media. All Rights Reserved.
Related Stories
▪ All-New AJAX Security Bootcamp Next Week at AJAXWorld in New York
Related Links
▪ AJAX Security Bootcamp Home Page
About Brian J. Dillard
Brian J. Dillard joined Pathfinder Development in August 2007 as RIA Evangelist. After 12 years of focusing on the view layer of large consumer web apps, his role at Pathfinder Associates is one of research, development and ongoing commentary. He prototypes new rich UI features; contributes to open-source and client projects; and otherwise helps build Pathfinder's competency in the AJAX world. Along with Pathfinder CTO Dietrich Kappe, Dillard contributes to the 'Agile Ajax' blog (http://blogs.pathf.com/agileajax). He is also the project lead on Really Simple History, a JavaScript library for AJAX bookmark and back-button management.

LATEST JAVA STORIES & POSTS
AJAX and RIA Technology Will Be Free for All: Sun CEO
By Java News
'Java's always been a RIA platform - before the world really wanted one,' claimed Sun's CEO Jonathan Schwartz recently, as he reflected on the reinvention of the Java platform as represented by JavaFX. 'What's a rich internet application?' Schwartz wrote. 'It depends on your pers
Adobe's Kevin Lynch and Microsoft's Scott Guthrie to Keynote AJAX World RIA Conference & Expo
By RIA News Desk
Two of the biggest launches in Rich Internet Application history took place in 2007/2008 when Adobe launched AIR 1.0 in February '08 and Microsoft launched Silverlight (September '07). At the 6th International AJAXWorld RIA Conference & Expo in October SYS-CON Events is delighted
Quest Software's JProbe Now Available as Eclipse Plug-In
By Eclipse News Desk
Quest Software announced the latest release of its Java profiler, JProbe 8.0, which is now offered as a plug-in to the Eclipse Java Integrated Development Environment (IDE). The release of this capability aligns with the increased adoption of the open source development. Launchin
What Does the Future Hold for the Java Language?
By Joe Winchester
Before Java I was a Smalltalk guy. I remember switching from one language to the other and the tipping point that you reach when you've mastered the new language and how many months it takes, not to mention the years, to do really good design and know-how, which patterns to apply
White Paper: "Ensuring Code Quality in Multi-Threaded Applications"
By Java News Desk
Today, the world of software development is presented with a new challenge. To fully leverage this new class of multi-core hardware, software developers must change the way they create applications. By turning their focus to multi-threaded applications, developers will be able to
AccuRev and Rally Software Partner to Scale Agile Software Development Best Practices
By SOA World Magazine News Desk
AccuRev and Rally announced a technology partnership that will integrate AccuRev software change and configuration management (SCCM) with Rally's Agile lifecycle management solutions. The combined solution will provide a platform to manage multiple Agile processes and ongoing cus
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS
SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
SYS-CON FEATURED WHITEPAPERS

MOST READ THIS WEEK
Next-Generation Web Development: Bye Bye MVC, Hello RIA + SOA
By Nolan Wright
Microsoft's Brand New Virtualization Transfer to Present at SYS-CON's Virtualization Conference
By Virtualization News Desk
What Does the Future Hold for the Java Language?
By Joe Winchester
Cloud Computing Expo - Clouds Mating!
By Maureen O'Gara
J-CASE Tag Library - Interactive Storyboarding with JSP
By Masayuki Otoshi
Virtualization: After Servers, the Infrastructure Needs to be Virtualized
By Pete Manca
Virtualization - WiMAX Supporters Form Patent Pool
By Maureen O'Gara
NetBeans: It's Not Just for Java Anymore
By Tim Boudreau
Infrastructure Virtualization Strategies
By Virtualization News Desk
Neelie Takes to the Soapbox
By Maureen O'Gara
3Leaf Systems Enables V-8000 I/O Virtualization With HP BladeSystem c-Class
By Virtualization News Desk
Elixir Technology (Represented by JNet Direct) Nominated for SYS-CON's "SOA World Magazine Readers' Choice Awards"
By SOA World Magazine News Desk
SPONSORED BY INFRAGISTICS
SOA in a JVM: OSGi Service Platform - A Dynamic Component System for Java
There are many forces that influence technological evolution. After a decade of building enterprise
Jun. 30, 2008 03:45 PM
AJAX and Enterprise RIA Tools - JSF, Flex, and JavaFX
2008 is going to be an important year for Rich Internet Applications. Most organizations are deliver
Jun. 20, 2008 12:45 PM
Final Voting Phase on OpenAjax Browser Wishlist
The OpenAjax Alliance is developing an Ajax industry wishlist for future browsers, using a dedicated
Jun. 18, 2008 07:45 PM
AJAX World RIA Conference News - Netflix UI Guru To Present on Crafting Rich Web Interfaces
In every field of design one of the first things students do is learn from the work of others. They
Jun. 11, 2008 10:30 AM
Infragistics Releases CTP UI Components for Microsoft Silverlight Beta 2
Infragistics announced the availability of two Community Technology Preview (CTP) User Interface (UI
Jun. 4, 2008 08:00 AM
Yahoo User Interface 2.5.2 Released
The YUI development team has released version 2.5.2; you can download the new release from SourceFor
Jun. 2, 2008 05:00 AM
ADS BY GOOGLE
BREAKING JAVA NEWS
XS2Theworld's Speaking Travel Guide Wins MCA 2008 Award
Jul. 3, 2008 04:30 AM