[...]... attacks and create a truly secure and trustworthy Ajax application AN AJAX PRIMER Before we delve into the particulars of Ajax security, it is worthwhile for us to briefly review the basics of Ajax technology If you’re confident that you have a solid grasp of Ajax fundamentals, feel free to proceed to the next section, “The Ajax Architecture Shift.” WHAT IS AJAX? Normally, when a browser makes a request... limitation The Web may allow us to write an application once and use it anywhere, but Ajax allows us to write a practical and effective application once and use it anywhere 1 CHAPTER 1 INTRODUCTION TO AJAX SECURITY Unfortunately, there is one huge buzzing, stinging fly in the Ajax ointment: security From a security perspective, Ajax applications are more difficult to design, develop, and test than traditional... security over a round or two xxvi 1 Introduction to Ajax Security Myth: Ajax applications are just Web pages with extra bells and whistles Ajax Asynchronous JavaScript and XML—is taking the World Wide Web by storm It is not at all an overstatement to say that Ajax has the potential to revolutionize the way we use the Internet—and even computers in general Ajax is a fundamental component of Web 2.0, a complete... Security Testing 391 396 398 399 400 401 403 406 Analysis of Ajax Frameworks 413 ASP.NET ASP.NET AJAX (formerly Atlas) ScriptService Security Showdown: UpdatePanel Versus ScriptService ASP.NET AJAX and WSDL ValidateRequest ViewStateUserKey ASP.NET Configuration and Debugging 413 414 417 419 420 424 425 426 408 409 411 xv CONTENTS PHP Sajax Sajax and Cross-Site Request Forgery Java EE Direct Web Remoting... wait to discover, such as the analysis of specific Ajax frameworks for security issues (which can be found in Chapter 15, “Analysis of Ajax Frameworks”), feel free to skip ahead or read out of order Ajax provides an exciting new philosophy for creating Web applications This book is by no means an attempt to dismiss Ajax as silly or infeasible from a security perspective Instead, we hope to provide a... simplified Ajax- based SQL Injection method, which requires only two requests to extract the entire backend database This is not a book for learning Ajax or Web programming—we expect you to have a pretty good handle on that already Instead, we will focus on the mistakes and problems with the design and creation of Ajax applications that create security vulnerabilities and provide advice on how to develop Ajax. .. Chapter 15 Testing Ajax Applications 391 Black Magic Not Everyone Uses a Web Browser to Browse the Web Catch-22 Security Testing Tools—or Why Real Life Is Not Like Hollywood Site Cataloging Vulnerability Detection Analysis Tool: Sprajax Analysis Tool: Paros Proxy Analysis Tool: LAPSE (Lightweight Analysis for Program Security in Eclipse) Analysis Tool: WebInspect™ Additional Thoughts on Security Testing... focused on the Internet security software industry Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007 While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and... Storage Session Storage Global Storage The Devilish Details of DOM Storage DOM Storage Security DOM Storage Summary Internet Explorer userData Security Summary Chapter 8 Hijacking Ajax Applications Hijacking Ajax Frameworks Accidental Function Clobbering Function Clobbering for Fun and Profit Hijacking On-Demand Ajax Hijacking JSON APIs Hijacking Object Literals Root of JSON Hijacking Defending Against... bypassed authentication mechanisms Ajax may have the inherent usability strengths of both desktop and Web applications, but it also has both of their inherent security weaknesses Still, security seems to be an afterthought for most developers xix PREFACE We hope to change that perspective We wrote this book for the Ajax developer who wants to implement the latest and greatest Ajax features in their applications, . 1980- Ajax security / Billy Hoffman and Bryan Sullivan. p. cm. ISBN 0-321-49193-9 (pbk. : alk. paper) 1. Ajax (Web site development technology) 2. Computer networks Security measures. 3. Computer security. . Real One) xvix Chapter 1 Introduction to Ajax Security 1 An Ajax Primer 2 What Is Ajax? 2 Asynchronous 3 JavaScript 6 XML 11 Dynamic HTML (DHTML) 11 The Ajax Architecture Shift 11 Thick-Client. Architecture 13 Ajax: The Goldilocks of Architecture 15 A Security Perspective: Thick-Client Applications 16 A Security Perspective: Thin-Client Applications 17 A Security Perspective: Ajax Applications