www.it-ebooks.info Securing Ajax Applications www.it-ebooks.info Other resources from O’Reilly Related titles 802.11 Security Computer Security Basics Java ™ Security Linux Security Cookbook ™ Network Security with OpenSSL Secure Coding: Principles & Practices Securing Windows NT/2000 Servers for the Internet SSH, The Secure Shell: The Definitive Guide Web Security, Privacy, and Commerce Building Secure Servers with Linux Ajax and Web Services Head Rush Ajax RESTful Web Services oreilly.com oreilly.com is more than a complete catalog of O’Reilly books. You’ll also find links to news, events, articles, weblogs, sample chapters, and code examples. oreillynet.com is the essential portal for developers interested in open and emerging technologies, including new platforms, pro- gramming languages, and operating systems. Conferences O’Reilly brings diverse innovators together to nurture the ideas that spark revolutionary industries. We specialize in document- ing the latest tools and systems, translating the innovator’s knowledge into useful skills for those in the trenches. Visit con- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searches across more than 1,000 books. Subscribers can zero in on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. www.it-ebooks.info Securing Ajax Applications Christopher Wells Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo www.it-ebooks.info Securing Ajax Applications by Christopher Wells Copyright © 2007 Christopher Wells. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com. Editor: Tatiana Apandi Production Editor: Mary Brady Production Services: Tolman Creek Design Cover Designer: Karen Montogmery Interior Designer: David Futato Illustrators: Robert Romano and Jessamyn Read Printing History: July 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Securing Ajax Applications, the image of a spotted hyena, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover ™ , a durable and flexible lay-flat binding. ISBN-10: 0-596-52931-7 ISBN-13: 978-0-596-52931-4 [M] www.it-ebooks.info To Jennafer, my honey, and Maggie, my bit of honey: you two are what make life so sweet. www.it-ebooks.info www.it-ebooks.info vii Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. The Evolving Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Rise of the Web 2 2. Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Security Basics 29 Risk Analysis 37 Common Web Application Vulnerabilities 40 3. Securing Web Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 How Web Sites Communicate 56 Browser Security 61 Browser Plug-ins, Extensions, and Add-ons 76 4. Protecting the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Network Security 100 Host Security 103 Web Server Hardening 121 Application Server Hardening 128 5. A Weak Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 HTTP Vulnerabilities 131 The Threats 136 JSON 143 XML 146 RSS 148 Atom 149 REST 152 www.it-ebooks.info viii | Table of Contents 6. Securing Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Web Services Overview 156 Security and Web Services 167 Web Service Security 172 7. Building Secure APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Building Your Own APIs 174 Preconditions 179 Postconditions 180 Invariants 180 Security Concerns 181 RESTful Web Services 183 8. Mashups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Web Applications and Open Internet APIs 191 Wild Web 2.0 192 Mashups and Security 194 Open Versus Secure 198 A Security Blanket 199 Case Studies 201 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 www.it-ebooks.info ix Preface1 Deciding to add security to a web application is like deciding whether to wear clothes in the morning. Both decisions provide comfort and protection throughout the day, and in both cases the decisions are better made beforehand rather than later. Just look around and ask yourself, “How open do I really want to be with my neigh- bors?” Or, “How open do I really want them to be with me?” It’s all about sharing. With web sites sharing data via open APIs, web services, and other new technologies we are experiencing the veritable Woodstock of the digital age. Free love now takes the form of free content and services. Make mashups, not web pages! All right, so let’s get down to business. Believe it, or not, there is security in openness. Look at the United States govern- ment, for example. The openness of the U.S. governmental system is what helps keep it secure. Maybe that can work for us, too! Repeat after me: We, the programmers, in order to build a more perfect Web; to establish presence and ensure server stability; provide for the common Web; promote general security; for ourselves and our posterity; do ordain and establish this constitution… Sadly, it is not quite that easy—or is it? Checks and balances make governments work. There are layers of cooperation and defense. Each layer provides defense in depth. Web application security is a serious business. All web applications are or will be vul- nerable to some form of attack. The thing to remember is that most people are good, and security is implemented to thwart those who are not. So, the chances of your appli- cation getting attacked are proportional to the number of bad apples out there. Audience This book is for programmers on the front lines looking for a solid resource to help them protect their applications from harm. It is also for the developer or architect interested in sharing or consuming content in a safe way. www.it-ebooks.info [...]... 5, A Weak Foundation Explores the major protocols associated with web applications, where the seams are, what the possible attack vectors might be, and some recommended countermeasures to help make applications more secure Chapter 6, Securing Web Services Looks at how web services work, the moving parts, how web technologies such as Ajax can fit in, and what major areas require security attention Chapter... forget that our applications must still defend themselves As technology moves forward, and we find our applications becoming more interactive—sharing data between themselves and other sites—it raises a host of new security concerns Our applications might consist of services provided by multiple providers (sites) each hosting its own piece of the application The surface area of these applications grows... book into your product’s documentation does require permission We appreciate, but do not require, attribution An attribution usually includes the title, author, publisher, and ISBN For example: Securing Ajax Applications by Christopher Wells Copyright 2007 Christopher Wells, 978-0-596-52931-4.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact... and guard against—expanding both with technologies such as AJAX on the client and REST or Web Services on the server Luckily, we are not left completely empty-handed Web security is not new There are some effective techniques and best practices that we can apply to these new applications Today, web programming languages make it easy to build applications without having to worry about the underlying... implemented the new features to help support its Microsoft Outlook Web Client The Hero, Ajax Oh boy! We’ve finally gotten to the good stuff So, what exactly is Ajax? A Greek hero second only in strength to Achilles? A chlorine-based chemical used for cleaning your toilet? Or a powerful new way to make ordinary web pages into web applications? In 2005, a JavaScript-slinging outlaw named Jesse James Garrett,... trail Instead of the single request-response model, Ajax offers the capability to create micro—page level—requests that just update particular portions of the page The browser does not have to do a full refresh Figure 1-8 shows an XMLHttpRequest transaction What makes Ajax different from previous attempts to provide a richer client-side experience is that Ajax leverages technology already present in the... essay about how he could achieve dynamic dragand-drop functionality without downloading any add-ons or plug-ins and by using the tools already available in the browsers—*poof* Ajax was born Garrett was the first to coin the term Ajax though he didn’t mean it to stand for anything Since then, others have forced the acronym to be Asynchronous JavaScript And Xml Garrett recognized that the classic request-response... was creating the foundation for today’s commerce Today, we don’t even see HTTP unless we want to deliberately It has, for the most part, been abstracted away from us Yet, it is at the very heart of our applications Hypertext Transfer Protocol (HTTP) There’s this guy—let’s call him Jim He’s an old-timer who can spin yarns about the first time he ever sat down at a PDP-11 He still has his first programs... like Jim and tickle the server into giving up its information? Well, there is actually a whole set of commands baked in to the HTTP protocol that are rarely seen by anyone But because we are building our applications on top of these commands, we should see how they actually work I’d highly recommend (and I’m sure Jim would agree) that you read HTTP: The Definitive Guide by David Gourley and Brian Totty... methods—meaning no action (or state change) will be taken on the server The two main methods GET and HEAD fall into this category Unfortunately, this “safeness” is more of a guideline than a rule Some applications have been known to break this contract by posting live data via the GET method using things such as the QueryString parameters The Rise of the Web | 5 www.it-ebooks.info It is architecturally . free. www.it-ebooks.info Securing Ajax Applications Christopher Wells Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo www.it-ebooks.info Securing Ajax. www.it-ebooks.info Securing Ajax Applications www.it-ebooks.info Other resources from O’Reilly Related