[...]... 5, A Weak Foundation Explores the major protocols associated with web applications, where the seams are, what the possible attack vectors might be, and some recommended countermeasures to help make applications more secure Chapter 6, Securing Web Services Looks at how web services work, the moving parts, how web technologies such as Ajax can fit in, and what major areas require security attention Chapter... forget that our applications must still defend themselves As technology moves forward, and we find our applications becoming more interactive—sharing data between themselves and other sites—it raises a host of new security concerns Our applications might consist of services provided by multiple providers (sites) each hosting its own piece of the application The surface area of these applications grows... book into your product’s documentation does require permission We appreciate, but do not require, attribution An attribution usually includes the title, author, publisher, and ISBN For example: Securing Ajax Applications by Christopher Wells Copyright 2007 Christopher Wells, 978-0-596-52931-4.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact... and guard against—expanding both with technologies such as AJAX on the client and REST or Web Services on the server Luckily, we are not left completely empty-handed Web security is not new There are some effective techniques and best practices that we can apply to these new applications Today, web programming languages make it easy to build applications without having to worry about the underlying... buttons rather than links, thus making the user aware of possible obligations Idempotent methods The HTTP methods GET, HEAD, PUT, and DELETE are defined to be idempotent, meaning that multiple identical requests should have the same effect as a single request Methods OPTIONS and TRACE, being safe, are inherently idempotent HTTP Response After we’ve successfully issued a command to a willing HTTP server,... implemented the new features to help support its Microsoft Outlook Web Client The Hero, Ajax Oh boy! We’ve finally gotten to the good stuff So, what exactly is Ajax? A Greek hero second only in strength to Achilles? A chlorine-based chemical used for cleaning your toilet? Or a powerful new way to make ordinary web pages into web applications? In 2005, a JavaScript-slinging outlaw named Jesse James Garrett,... trail Instead of the single request-response model, Ajax offers the capability to create micro—page level—requests that just update particular portions of the page The browser does not have to do a full refresh Figure 1-8 shows an XMLHttpRequest transaction What makes Ajax different from previous attempts to provide a richer client-side experience is that Ajax leverages technology already present in the... essay about how he could achieve dynamic dragand-drop functionality without downloading any add-ons or plug-ins and by using the tools already available in the browsers—*poof* Ajax was born Garrett was the first to coin the term Ajax though he didn’t mean it to stand for anything Since then, others have forced the acronym to be Asynchronous JavaScript And Xml Garrett recognized that the classic request-response... like Jim and tickle the server into giving up its information? Well, there is actually a whole set of commands baked in to the HTTP protocol that are rarely seen by anyone But because we are building our applications on top of these commands, we should see how they actually work I’d highly recommend (and I’m sure Jim would agree) that you read HTTP: The Definitive Guide by David Gourley and Brian Totty... methods—meaning no action (or state change) will be taken on the server The two main methods GET and HEAD fall into this category Unfortunately, this “safeness” is more of a guideline than a rule Some applications have been known to break this contract by posting live data via the GET method using things such as the QueryString parameters The Rise of the Web | Download at Boykma.Com 5 It is architecturally . free. Download at Boykma.Com Securing Ajax Applications Christopher Wells Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Download at Boykma.Com Securing Ajax Applications by Christopher. logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Securing Ajax Applications, the image of a spotted hyena, and related trade dress are trademarks of O’Reilly Media, Inc. Many.