You are previewing Securing Ajax Applications.
O'Reilly logo
Securing Ajax Applications

Book Description

Ajax applications should be open yet secure. Far too often security is added as an afterthought. Potential flaws need to be identified and addressed right away. This book explores Ajax and web application security with an eye for dangerous gaps and offers ways that you can plug them before they become a problem. By making security part of the process from the start, you will learn how to build secure Ajax applications and discover how to respond quickly when attacks occur. Securing Ajax Applications succinctly explains that the same back-and-forth communications that make Ajax so responsive also gives invaders new opportunities to gather data, make creative new requests of your server, and interfere with the communications between you and your customers. This book presents basic security techniques and examines vulnerabilities with JavaScript, XML, JSON, Flash, and other technologies -- vital information that will ultimately save you time and money. Topics include:

  • An overview of the evolving web platform, including APIs, feeds, web services and asynchronous messaging

  • Web security basics, including common vulnerabilities, common cures, state management and session management

  • How to secure web technologies, such as Ajax, JavaScript, Java applets, Active X controls, plug-ins, Flash and Flex

  • How to protect your server, including front-line defense, dealing with application servers, PHP and scripting

  • Vulnerabilities among web standards such as HTTP, XML, JSON, RSS, ATOM, REST, and XDOS

  • How to secure web services, build secure APIs, and make open mashups secure

Securing Ajax Applications takes on the challenges created by this new generation of web development, and demonstrates why web security isn't just for administrators and back-end programmers any more. It's also for web developers who accept the responsibility that comes with using the new wonders of the Web.

Table of Contents

  1. Securing Ajax Applications
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. Audience
      2. Assumptions This Book Makes
      3. Contents of This Book
      4. Conventions Used in This Book
      5. Using Code Examples
      6. How to Contact Us
      7. Safari® Enabled
      8. Acknowledgments
    3. 1. The Evolving Web
      1. 1.1. The Rise of the Web
        1. 1.1.1. Hypertext Transfer Protocol (HTTP)
        2. 1.1.2. HTTP Transactions
        3. 1.1.3. The response
        4. 1.1.4. HTTP Methods
          1. 1.1.4.1. Safe methods
          2. 1.1.4.2. Idempotent methods
        5. 1.1.5. HTTP Response
          1. 1.1.5.1. HTTP status codes
          2. 1.1.5.2. 2xx success codes
          3. 1.1.5.3. 3xx redirection codes
          4. 1.1.5.4. 4xx client error codes
          5. 1.1.5.5. 5xx server error codes
        6. 1.1.6. HTTP Headers
          1. 1.1.6.1. General headers
          2. 1.1.6.2. Request headers
          3. 1.1.6.3. Response headers
          4. 1.1.6.4. Entity headers
          5. 1.1.6.5. Content headers
        7. 1.1.7. Message or Entity Body
        8. 1.1.8. HTML
        9. 1.1.9. Mosaic and Netscape
        10. 1.1.10. The Browser Wars
        11. 1.1.11. Plug-ins, ActiveX, Applets, and JavaScript, Flash
          1. 1.1.11.1. Java applets
          2. 1.1.11.2. ActiveX
          3. 1.1.11.3. Flash
        12. 1.1.12. The Dot-Com Bubble
        13. 1.1.13. Web Servers
          1. 1.1.13.1. Netscape Enterprise Server
          2. 1.1.13.2. Apache
          3. 1.1.13.3. Microsoft's Internet Information Server (IIS)
        14. 1.1.14. e-commerce
          1. 1.1.14.1. The web application
          2. 1.1.14.2. Application servers
          3. 1.1.14.3. Commercials for Internet companies
        15. 1.1.15. Pop!
        16. 1.1.16. The Hero, Ajax
          1. 1.1.16.1. XMLHTTP
          2. 1.1.16.2. XMLHttpRequest
          3. 1.1.16.3. XMLHttpRequest life cycle
        17. 1.1.17. What Is an API?
          1. 1.1.17.1. Google maps the way
          2. 1.1.17.2. Security problem
          3. 1.1.17.3. Solution: The Google Maps API
        18. 1.1.18. Why Worry?
          1. 1.1.18.1. Recreational developers
          2. 1.1.18.2. Rapid application development (RAD)
          3. 1.1.18.3. Software development life cycle (SDLC)
          4. 1.1.18.4. CCPD
        19. 1.1.19. For More Information
    4. 2. Web Security
      1. 2.1. Security Basics
        1. 2.1.1. Build Security In
          1. 2.1.1.1. Expect the unexpected
          2. 2.1.1.2. Subjects
          3. 2.1.1.3. Objects
          4. 2.1.1.4. Operations
          5. 2.1.1.5. Surface area
          6. 2.1.1.6. Confidentiality
          7. 2.1.1.7. Privacy
          8. 2.1.1.8. Encryption
          9. 2.1.1.9. Integrity/validation
          10. 2.1.1.10. Authentication
          11. 2.1.1.11. Authorization and access control
          12. 2.1.1.12. Separation of duties
          13. 2.1.1.13. Nonrepudiation
          14. 2.1.1.14. Availability
          15. 2.1.1.15. Trust
      2. 2.2. Risk Analysis
        1. 2.2.1. Web Application Anatomy
          1. 2.2.1.1. Entry points
          2. 2.2.1.2. Trust level
          3. 2.2.1.3. Assets
          4. 2.2.1.4. Threats and attack path
          5. 2.2.1.5. Think like an attacker
        2. 2.2.2. Threat Profiling
      3. 2.3. Common Web Application Vulnerabilities
        1. 2.3.1. OWASP
          1. 2.3.1.1. OWASP top 10
        2. 2.3.2. Unvalidated Input
          1. 2.3.2.1. Positive versus negative validation
          2. 2.3.2.2. Client-side validation
          3. 2.3.2.3. Fuzzing
        3. 2.3.3. Broken Access Control
          1. 2.3.3.1. Administration interfaces
        4. 2.3.4. Broken Authentication and Session Management
          1. 2.3.4.1. What is an authentication factor?
          2. 2.3.4.2. Login credentials
          3. 2.3.4.3. Administrative interfaces
          4. 2.3.4.4. Session management
          5. 2.3.4.5. Don't let an old caller back in
        5. 2.3.5. Cross-Site Scripting (XSS)
        6. 2.3.6. Buffer Overflow
          1. 2.3.6.1. Buffer overflows in web applications
        7. 2.3.7. Injection Flaws
        8. 2.3.8. Improper Error Handling
        9. 2.3.9. Insecure Storage
        10. 2.3.10. Application Denial of Service
        11. 2.3.11. Insecure Configuration Management
        12. 2.3.12. Other Vulnerabilities
        13. 2.3.13. For More Information
    5. 3. Securing Web Technologies
      1. 3.1. How Web Sites Communicate
        1. 3.1.1. Client to Server Communications
        2. 3.1.2. Server to Server Communications
          1. 3.1.2.1. Screen scraping
        3. 3.1.3. Domain to Domain (Cross-Domain) Communications
          1. 3.1.3.1. XML
          2. 3.1.3.2. JSON
          3. 3.1.3.3. Web services
      2. 3.2. Browser Security
        1. 3.2.1. STRIDE
        2. 3.2.2. Web Security Controls
          1. 3.2.2.1. SSL/TLS transport encryption
          2. 3.2.2.2. Encrypting data with symmetric encryption
          3. 3.2.2.3. The browser's same-origin policy
        3. 3.2.3. Client-Side Data and Managing State
          1. 3.2.3.1. HTML input fields
          2. 3.2.3.2. Cookies and HTTP headers
          3. 3.2.3.3. URL rewriting
        4. 3.2.4. Protecting Data in Transit
        5. 3.2.5. Session Management
      3. 3.3. Browser Plug-ins, Extensions, and Add-ons
        1. 3.3.1. ActiveX
        2. 3.3.2. Java Applets
        3. 3.3.3. JavaScript
        4. 3.3.4. XHTML/DOM Manipulation
        5. 3.3.5. Flash
          1. 3.3.5.1. Flex
          2. 3.3.5.2. ActionScript
        6. 3.3.6. HTML and CSS
        7. 3.3.7. Ajax
          1. 3.3.7.1. Authenticating users
          2. 3.3.7.2. Preventing parameter tampering
          3. 3.3.7.3. Protecting data in transit
          4. 3.3.7.4. Preventing session hijacking
          5. 3.3.7.5. Validating input
          6. 3.3.7.6. Securing configurations
          7. 3.3.7.7. Exception handling
          8. 3.3.7.8. Auditing user activity
          9. 3.3.7.9. Protecting data in storage
        8. 3.3.8. For More Information
    6. 4. Protecting the Server
      1. 4.1. Network Security
        1. 4.1.1. Firewalls
          1. 4.1.1.1. Trust boundaries
          2. 4.1.1.2. Security concerns
          3. 4.1.1.3. Port 80
          4. 4.1.1.4. SSL
          5. 4.1.1.5. SSL proxies
          6. 4.1.1.6. Network tiers and the DMZ
          7. 4.1.1.7. Separation of duties
      2. 4.2. Host Security
        1. 4.2.1. Ubuntu
          1. 4.2.1.1. Automatic LAMP
        2. 4.2.2. OS Hardening
          1. 4.2.2.1. Accounts management
          2. 4.2.2.2. Running services
          3. 4.2.2.3. SUID and SGID
        3. 4.2.3. Logging and Auditing
          1. 4.2.3.1. Unix/Linux
          2. 4.2.3.2. Facilities and priorities
          3. 4.2.3.3. Syslog configuration file (/etc/syslog.conf)
          4. 4.2.3.4. Process accounting
          5. 4.2.3.5. Windows
          6. 4.2.3.6. A logging server
        4. 4.2.4. Keeping Up to Date
          1. 4.2.4.1. APT
          2. 4.2.4.2. Windows update
        5. 4.2.5. Host Firewall
          1. 4.2.5.1. Using iptables
        6. 4.2.6. Intrusion Detection
          1. 4.2.6.1. Log examination
          2. 4.2.6.2. File integrity checks
          3. 4.2.6.3. Network monitoring
        7. 4.2.7. Make a Copy
          1. 4.2.7.1. Partimage
          2. 4.2.7.2. dd_rescue
        8. 4.2.8. Incident Response
          1. 4.2.8.1. Have a plan (disaster recovery plan)
          2. 4.2.8.2. HELP! I've been hacked!
      3. 4.3. Web Server Hardening
        1. 4.3.1. Apache HTTP Server
          1. 4.3.1.1. Security concerns
        2. 4.3.2. mod_security
          1. 4.3.2.1. Installation
          2. 4.3.2.2. Basic configuration
          3. 4.3.2.3. Actions
          4. 4.3.2.4. Filters
          5. 4.3.2.5. Resources
        3. 4.3.3. PHP
          1. 4.3.3.1. Hardening guidelines
        4. 4.3.4. Microsoft Internet Information Server (IIS)
          1. 4.3.4.1. Lock down server
          2. 4.3.4.2. Secure configurations for web servers
          3. 4.3.4.3. Hardening guidelines
          4. 4.3.4.4. Security concerns
      4. 4.4. Application Server Hardening
        1. 4.4.1. Java and .NET
          1. 4.4.1.1. Hardening guidelines
        2. 4.4.2. For More Information
    7. 5. A Weak Foundation
      1. 5.1. HTTP Vulnerabilities
        1. 5.1.1. Input Validation
        2. 5.1.2. Authentication and Session Management
          1. 5.1.2.1. Authentication hijacking
          2. 5.1.2.2. HTTP basic authentication
          3. 5.1.2.3. Security and session IDs
        3. 5.1.3. Authorization
      2. 5.2. The Threats
        1. 5.2.1. Cross-Site Scripting (XSS)
        2. 5.2.2. Injection Vulnerabilities
          1. 5.2.2.1. SQL injection
          2. 5.2.2.2. Lightweight Directory Access Protocol (LDAP) injection
          3. 5.2.2.3. Command or process injection
          4. 5.2.2.4. HTTP response splitting
          5. 5.2.2.5. DOM injection and JavaScript
          6. 5.2.2.6. Cross-site Request Forgery (CSRF or XSRF)
          7. 5.2.2.7. Cross-user defacement
          8. 5.2.2.8. Cache poisoning
        3. 5.2.3. Other Vulnerabilities
          1. 5.2.3.1. Buffer overflows
          2. 5.2.3.2. Insecure storage
          3. 5.2.3.3. Application denial of service
        4. 5.2.4. Data Handling
          1. 5.2.4.1. Improper error handling
      3. 5.3. JSON
        1. 5.3.1.
          1. 5.3.1.1. Validation and implementation
          2. 5.3.1.2. Authentication and authorization
          3. 5.3.1.3. Script/same origin policy
      4. 5.4. XML
        1. 5.4.1. Input Validation
        2. 5.4.2. Authentication and Authorization
        3. 5.4.3. Injection Flaws
        4. 5.4.4. Insecure Storage
        5. 5.4.5. XML Denial of Service (XDOS)
      5. 5.5. RSS
        1. 5.5.1.
          1. 5.5.1.1. Consuming RSS
      6. 5.6. Atom
        1. 5.6.1.
          1. 5.6.1.1. Atom compared to RSS
        2. 5.6.2. Signing Content
      7. 5.7. REST
        1. 5.7.1.
          1. 5.7.1.1. REST web services characteristics
          2. 5.7.1.2. Principles of REST web service design
        2. 5.7.2. For More Information
    8. 6. Securing Web Services
      1. 6.1. Web Services Overview
        1. 6.1.1. Service Oriented Architecture (SOA)
        2. 6.1.2. Ajax and Web Services
        3. 6.1.3. Simple Object Access Protocol (SOAP)
          1. 6.1.3.1. Anatomy of a SOAP message
          2. 6.1.3.2. SOAP envelope
          3. 6.1.3.3. SOAP headers
          4. 6.1.3.4. SOAP body
          5. 6.1.3.5. SOAP faults
        4. 6.1.4. Universal Description Discovery and Integration (UDDI)
        5. 6.1.5. Web Service Description Language (WSDL)
          1. 6.1.5.1. Anatomy of a WSDL document
          2. 6.1.5.2. Hooking up the Ajax
      2. 6.2. Security and Web Services
        1. 6.2.1. Identification
        2. 6.2.2. Authentication
          1. 6.2.2.1. Username and password
          2. 6.2.2.2. X509 digital certificates
          3. 6.2.2.3. Security Assertion Markup Language (SAML)
        3. 6.2.3. Passing Credentials
        4. 6.2.4. Authorization
          1. 6.2.4.1. Least privilege/separation of duties
        5. 6.2.5. Confidentiality and Transport Layer Security
        6. 6.2.6. Information Leakage
        7. 6.2.7. Data Integrity and Message-Level Security
          1. 6.2.7.1. XML encryption
          2. 6.2.7.2. XML digital signatures
          3. 6.2.7.3. Message/security extensibility
        8. 6.2.8. Auditing and Nonrepudiation
        9. 6.2.9. Don't Forget It's the Web
      3. 6.3. Web Service Security
        1. 6.3.1.
          1. 6.3.1.1. Secure header management
          2. 6.3.1.2. Secure tokens and credentials
          3. 6.3.1.3. Timestamping
        2. 6.3.2. For More Information
    9. 7. Building Secure APIs
      1. 7.1. Building Your Own APIs
        1. 7.1.1. API Construction
        2. 7.1.2. API Design
          1. 7.1.2.1. Design web APIs by contract
      2. 7.2. Preconditions
      3. 7.3. Postconditions
      4. 7.4. Invariants
        1. 7.4.1. Building a Good API
      5. 7.5. Security Concerns
        1. 7.5.1. Authentication
        2. 7.5.2. Data Validation
        3. 7.5.3. Content Validation and Authentication
        4. 7.5.4. Availability
        5. 7.5.5. Information Leakage
      6. 7.6. RESTful Web Services
        1. 7.6.1. Why Use REST?
        2. 7.6.2. Who Is Using REST?
        3. 7.6.3. How REST Web Services Work
          1. 7.6.3.1. GET versus POST
          2. 7.6.3.2. Communication choices
        4. 7.6.4. REST Example
          1. 7.6.4.1. Get word list
          2. 7.6.4.2. Get word
          3. 7.6.4.3. Rate a word
        5. 7.6.5. For More Information
    10. 8. Mashups
      1. 8.1. Web Applications and Open Internet APIs
      2. 8.2. Wild Web 2.0
      3. 8.3. Mashups and Security
        1. 8.3.1. Lack of Trust
        2. 8.3.2. The Dark Side
      4. 8.4. Open Versus Secure
        1. 8.4.1. Lack of Security Standards
      5. 8.5. A Security Blanket
        1. 8.5.1. Confidentiality
        2. 8.5.2. Integrity
        3. 8.5.3. Availability
      6. 8.6. Case Studies
        1. 8.6.1. Pageflakes.com
          1. 8.6.1.1. Company
          2. 8.6.1.2. Location
          3. 8.6.1.3. Authentication mechanisms
          4. 8.6.1.4. The pulp
          5. 8.6.1.5. Content representation
          6. 8.6.1.6. User-specific data
          7. 8.6.1.7. Additional services
          8. 8.6.1.8. Security concerns
        2. 8.6.2. Public911.com
          1. 8.6.2.1. Company
          2. 8.6.2.2. Location
          3. 8.6.2.3. Authentication mechanisms
          4. 8.6.2.4. The pulp
          5. 8.6.2.5. Content representation
          6. 8.6.2.6. User-specific data
          7. 8.6.2.7. Additional services
          8. 8.6.2.8. Security concerns
        3. 8.6.3. WeatherBonk.com
          1. 8.6.3.1. Company
          2. 8.6.3.2. Location
          3. 8.6.3.3. Authentication mechanisms
          4. 8.6.3.4. The pulp
          5. 8.6.3.5. Content representation
          6. 8.6.3.6. User-specific data
          7. 8.6.3.7. Additional services
          8. 8.6.3.8. Security features
        4. 8.6.4. HousingMaps.com
          1. 8.6.4.1. Location
          2. 8.6.4.2. Authentication mechanisms
          3. 8.6.4.3. The pulp
          4. 8.6.4.4. Content representation
          5. 8.6.4.5. User-specific data
          6. 8.6.4.6. Security concerns
        5. 8.6.5. Conclusion
        6. 8.6.6. For More Information
    11. About the Author
    12. Colophon
    13. SPECIAL OFFER: Upgrade this ebook with O’Reilly