Click here to receive your FREE subscription to Campus Technology
News
GWT: Advanced AJAX Security
1/3/2008
The key is understanding JS variables. Essentially, everything is an object, including primitives and functions, Hoffman said. All global variables and functions are properties of a global object, and the Web browser provides a window into these objects. Hoffman's HOOK JavaScript Monitoring Framework (which a smart hacker could replicate) lets him enumerate the environment and trap on-demand code. It also sidesteps obfuscation by reading from the environment itself.
He also attacked what he calls the myth of the same origin policy, which claims that "same origin restricts" prevent JavaScript from seeing third-party content. In fact, it only does so partially, he said.
Stop JSON Hijacking
Then he discussed JSON hijacking, showing how hackers use remote scripting to read JSON Web services. To defend against this, he said that XMLHttpRequest can see a response and perform operations on it before eval()ing. This frustrates, say, a <SCRIPT SRC> that a hacker might use to point to a JSON Web service and harvest the data that comes back. With this defense, the script is foiled. Then you make the JSON response nonvalid JavaScript. XHR (XMLHttpRequest) removes it, and <SCRIPT SRC> fails.
In general, Hoffman says that if you want to secure AJAX applications you must do six things:
- Perform authentication/authorization checks on both Web pages and Web services.
- Group code libraries by function.
- Validate all input for your application, including HTTP headers, cookies, query string and POST data.
- Verify data type, length and format.
- Always use parameterized queries.
- Always encode output appropriately.
He wound up by touting the new book he coauthored, Ajax Security. He certainly made a case for AJAX developers thinking long and hard about this topic.
Lee The's first computer was a state of the art unit with 48 KB RAM and a 1 MHz processor. He has been writing and editing computer magazine articles since then, in between scuba diving trips. He's based in the San Francisco Bay Area. You can contact Lee about Access Cloud Data With Astoria at editor@reddevnews.com.
Cite this Site
copy text (above) for proper citation
Recommended Reading
- Tiffin U's New Online College to Use Pearson's eCollege for Course Management
Beginning this fall, students in Tiffin University's newest online program, Ivy Bridge College, will use eCollege, a course management system from Pearson, for all of their online courses. The 2,350-student Tiffin U is located in Tiffin, OH and offers both on-campus and online classes. Since 2005, those online courses have been managed through Jenzabar Internet Campus Solution.
- California Community Colleges Adopt SunGard Banner Software
California's Rio Hondo College and Sierra College have selected software from the Banner Unified Digital Campus and other solutions from SunGard Higher Education to help address their growing enrollments and to help improve student retention and services.
- Luidia Releases eBeam Interact 2.1 for Interactive Whiteboards
Luidia has released a new version its eBeam software for use with classroom-based interactive projection environments. eBeam Interact 2.1 offers both new and upgraded features, including enhanced screen recording and a comprehensive online image gallery, as well as the company's Scrapbook Image Writer feature.
- McGill U Library Scanning Rare Books with Kirtas
McGill University Library in Montreal will be using a Kirtas Technologies APT BookScan 2400RA to digitize its collections. The company says that the 2400RA is capable of acquiring page images at the rate of 2,400 pages per hour. The library will be working with Ristech, a Canadian reseller, to implement the digitization solution.
- Ball State U Web Sites Now Managed with Sitecore
Ball State University in Muncie, IN has gone public regarding its deployment of a Web site content management system from Sitecore. Ball State chose Sitecore's software to revamp its 220-plus sites, integrating common new media applications and garnering a next-generation user experience that has won several awards from education and new media marketing organizations. Now, Ball State maintains uniformity across all university Web sites and said it has enhanced its recruiting efforts through the site's new look and interface.
- Bio-Key Launches Emergency Alert Platforms for Schools
Bio-Key International has announced the release of two new emergency alert and management solutions for the education market. MobileSRO is designed specifically for the K-12 environment, while MobileCampus caters to higher education and other campus-based organizations.
