Securing Ajax Applications: Ensuring the Safety of the Dynamic Web

Free Download

Authors:

Edition: 1

ISBN: 0596529317

Size: 3 MB (3532896 bytes)

Pages: 251/251

File format:

Language:

Publishing Year:

Category:

Christopher Wells Exe0596529317

Ajax applications should be open yet secure. Far too often security is added as an afterthought. Potential flaws need to be identified and addressed right away. This book explores Ajax and web application security with an eye for dangerous gaps and offers ways that you can plug them before they become a problem. By making security part of the process from the start, you will learn how to build secure Ajax applications and discover how to respond quickly when attacks occur.Securing Ajax Applications succinctly explains that the same back-and-forth communications that make Ajax so responsive also gives invaders new opportunities to gather data, make creative new requests of your server, and interfere with the communications between you and your customers. This book presents basic security techniques and examines vulnerabilities with JavaScript, XML, JSON, Flash, and other technologies – vital information that will ultimately save you time and money.Topics include: An overview of the evolving web platform, including APIs, feeds, web services and asynchronous messaging Web security basics, including common vulnerabilities, common cures, state management and session management How to secure web technologies, such as Ajax, JavaScript, Java applets, Active X controls, plug-ins, Flash and Flex How to protect your server, including front-line defense, dealing with application servers, PHP and scripting Vulnerabilities among web standards such as HTTP, XML, JSON, RSS, ATOM, REST, and XDOS How to secure web services, build secure APIs, and make open mashups secure Securing Ajax Applications takes on the challenges created by this new generation of web development, and demonstrates why web security isn’t just for administrators and back-end programmers any more. It’s also for web developers who accept the responsibility that comes with using the new wonders of the Web.

Table of contents :
Securing Ajax Applications……Page 1
Table of Contents……Page 8
Audience……Page 10
Contents of This Book……Page 11
Using Code Examples……Page 12
Acknowledgments……Page 13
The Evolving Web……Page 16
Hypertext Transfer Protocol (HTTP)……Page 17
HTTP Transactions……Page 18
The response……Page 19
Safe methods……Page 20
HTTP Response……Page 21
3xx redirection codes……Page 22
4xx client error codes……Page 23
General headers……Page 24
Request headers……Page 25
Content headers……Page 26
HTML……Page 27
Mosaic and Netscape……Page 28
Java applets……Page 29
ActiveX……Page 30
The Dot-Com Bubble……Page 31
Apache……Page 32
Application servers……Page 33
Commercials for Internet companies……Page 34
Pop!……Page 35
The Hero, Ajax……Page 36
XMLHttpRequest life cycle……Page 37
What Is an API?……Page 40
Recreational developers……Page 41
CCPD……Page 42
For More Information……Page 43
Build Security In……Page 44
Objects……Page 45
Surface area……Page 46
Encryption……Page 47
Authentication……Page 48
Separation of duties……Page 49
Nonrepudiation……Page 50
Trust……Page 51
Entry points……Page 52
Think like an attacker……Page 53
Threat Profiling……Page 54
Common Web Application Vulnerabilities……Page 55
OWASP top 10……Page 56
Unvalidated Input……Page 57
Client-side validation……Page 58
Administration interfaces……Page 59
Login credentials……Page 60
Session management……Page 61
Cross-Site Scripting (XSS)……Page 62
Buffer Overflow……Page 63
Injection Flaws……Page 64
Improper Error Handling……Page 65
Insecure Storage……Page 66
Application Denial of Service……Page 67
Insecure Configuration Management……Page 68
Other Vulnerabilities……Page 69
For More Information……Page 70
How Web Sites Communicate……Page 71
Screen scraping……Page 72
Domain to Domain (Cross-Domain) Communications……Page 73
XML……Page 74
Web services……Page 75
STRIDE……Page 76
SSL/TLS transport encryption……Page 77
Encrypting data with symmetric encryption……Page 78
The browser’s same-origin policy……Page 80
Client-Side Data and Managing State……Page 81
HTML input fields……Page 83
Cookies and HTTP headers……Page 84
URL rewriting……Page 86
Protecting Data in Transit……Page 88
Session Management……Page 89
ActiveX……Page 91
Java Applets……Page 96
JavaScript……Page 98
XHTML/DOM Manipulation……Page 100
Flash……Page 103
ActionScript……Page 104
HTML and CSS……Page 106
Ajax……Page 108
Protecting data in transit……Page 109
Exception handling……Page 110
Protecting data in storage……Page 111
For More Information……Page 112
Protecting the Server……Page 114
Security concerns……Page 115
SSL proxies……Page 116
Separation of duties……Page 117
Automatic LAMP……Page 118
OS Hardening……Page 119
Accounts management……Page 120
Running services……Page 122
Facilities and priorities……Page 123
Syslog configuration file (/etc/syslog.conf)……Page 125
Windows……Page 127
APT……Page 128
Host Firewall……Page 129
Using iptables……Page 130
Intrusion Detection……Page 132
Network monitoring……Page 133
Incident Response……Page 134
Have a plan (disaster recovery plan)……Page 135
Web Server Hardening……Page 136
Apache HTTP Server……Page 137
mod_security……Page 138
Basic configuration……Page 139
Filters……Page 140
Lock down server……Page 141
Hardening guidelines……Page 142
Hardening guidelines……Page 143
For More Information……Page 144
A Weak Foundation……Page 145
Input Validation……Page 146
Authentication hijacking……Page 148
HTTP basic authentication……Page 149
Authorization……Page 150
Cross-Site Scripting (XSS)……Page 151
SQL injection……Page 152
HTTP response splitting……Page 153
DOM injection and JavaScript……Page 154
Cross-site Request Forgery (CSRF or XSRF)……Page 155
Buffer overflows……Page 156
Application denial of service……Page 157
JSON……Page 158
Validation and implementation……Page 159
Script/same origin policy……Page 160
Authentication and Authorization……Page 161
XML Denial of Service (XDOS)……Page 162
RSS……Page 163
Atom compared to RSS……Page 164
Signing Content……Page 165
REST web services characteristics……Page 167
Principles of REST web service design……Page 168
For More Information……Page 169
Securing Web Services……Page 170
Service Oriented Architecture (SOA)……Page 171
Ajax and Web Services……Page 172
Simple Object Access Protocol (SOAP)……Page 174
Anatomy of a SOAP message……Page 175
SOAP faults……Page 176
Universal Description Discovery and Integration (UDDI)……Page 178
Web Service Description Language (WSDL)……Page 179
Anatomy of a WSDL document……Page 180
Hooking up the Ajax……Page 181
Authentication……Page 182
Passing Credentials……Page 183
Confidentiality and Transport Layer Security……Page 184
XML digital signatures……Page 185
Don’t Forget It’s the Web……Page 186
Secure tokens and credentials……Page 187
For More Information……Page 188
Building Your Own APIs……Page 189
API Construction……Page 191
API Design……Page 193
Preconditions……Page 194
Building a Good API……Page 195
Authentication……Page 196
Content Validation and Authentication……Page 197
RESTful Web Services……Page 198
Who Is Using REST?……Page 199
How REST Web Services Work……Page 200
Communication choices……Page 201
Get word list……Page 202
Rate a word……Page 203
For More Information……Page 204
Mashups……Page 205
Web Applications and Open Internet APIs……Page 206
Wild Web 2.0……Page 207
Lack of Trust……Page 209
The Dark Side……Page 210
Lack of Security Standards……Page 213
Confidentiality……Page 214
Integrity……Page 215
Case Studies……Page 216
Authentication mechanisms……Page 217
The pulp……Page 218
Public911.com……Page 219
Authentication mechanisms……Page 220
Security concerns……Page 221
WeatherBonk.com……Page 222
Additional services……Page 223
HousingMaps.com……Page 224
Conclusion……Page 225
For More Information……Page 226
Index……Page 228

Reviews

There are no reviews yet.

Be the first to review “Securing Ajax Applications: Ensuring the Safety of the Dynamic Web”
Shopping Cart
Scroll to Top