Ajax Security Resources
Basic Information about Ajax
- adaptive path >> Ajax: A New Approach to Web Applications" by Jesse James Garrett, February 18, 2005.
- Ajax and XML: Five common Ajax patterns (Jack D. Herrington,developerWorks, March 2007): Explore easy-to-use, real-life Ajax design patterns.
- Mastering Ajaxseries (Brett McLaughlin, developerWorks, December 2005 - March 2007): In Parts 1 through 10, delve deep into Ajax, JSON, and other Web 2.0 data formats. It's a great staring point to explore Web 2.0 development.
Web Security Basics
- W3C Security Home
- The XMLHttpRequest Object (W3C Working Draft, 18 June 2007): A draft specification defining the XMLHttpRequest API that provides scripted client functionality for transferring data between a client and a server.
- Enabling Read Access for Web Resources (W3C Working Draft 18 June 2007): A draft specification defining a mechanism to selectively provide cross-site access to a web resource, either by an HTTP header or an XML processing instruction.
- The Same Origin Policy: Read Jesse Ruderman's description of the same-origin policy.
- Open Web Application Security Project (OWASP): Find materials to learn more about security issues of Web applications.
- Web Application Security Consortium: Find uself tools and information about security issues of Web applications.
High-Level Articles on Ajax and Mashup Security
Generic Ajax Security Issues
- Top 10 Ajax Security Holes and Driving Factors (Shreeraj Shah, Help Net Security, November 2006): Learn the most common pitfalls Web 2.0 developers can encounter during their designs.
- Ajax Security Basics (Jaswinder S. Hayre and Jayasankar Kelath, SecurityFocus, June 2006): Read how Ajax enlarges the attack surface and complicates vulnerability assessment.
- Shaping the future of secure Ajax mashups (Brent Ashley, April 03, 2007): Describes how to improve the browser for hybrid Web applications.
Articles on Specific Security Topics
Cross-Site Request Forgery (CSRF)
- Cross-site Request Forgery: from Wikipedia.
- Cross-Site Request Forgery: from owasp.org.
- SESSION RIDING - A Widespread Vulnerability in Today's Web Applications, by Thomas Schreiber, SecureNet GmbH, Dec 2004.
- Cross Site Reference Forgery - An introduction to a common web application weakness, by Jesse Burns, Information Security Partners, LLC, Version 1.1, 2005.
- Digger's Blog, How to defeat digg.com ... an introduction to session riding, Tuesday, June 06, 2006.
- GNUCITIZEN, "Persistent CSRF and the Hotlink Hell", April 16, 2007.
- Operation n, a hacker's diary, "Hotlinks and Persistent CSRF - leech the leech", April 16 2007.
Information about JSON and the threats
- JSON.org: Find an introduction to JSON and links to the JSON implementations in different programming languages.
- robubu - the technical weblog of Rob Yates: Read about basic security issues of JSON.
- Remote JSON - JSONP (Bob Ippolito, December 2005): In this blog post, examine a method to fetch cross-domain data by using the dynamic script tag and JSON.
- Joe Walker's blog for the array constructor overriding and the setter overriding
- Ha.ckers.org: Cross Site Scripting Cheat Sheet
- JS.Yamanner@m: Visit the Symantec Web site for the technical details of the Yamanner worm.
- Technical explanation of The MySpace Worm: Get the technical details of the MySpace worm.
- XSSed - XSS (cross-site scripting) information and vulnerable websites archive: Web site with articles on XSS attacks, including technical explanations of attacks that have happened to well-known Web sites
Attacks to the HttpOnly Cookies
- Cross-Site Tracing (XST) Whitepaper (Jeremiah Grossman, 1/20/2003)
- Description of XST variants (Amit Klein, January 2003)
- Blog at ha.ckers.org describes an attack to HttpOnly cookies by XMLHttpRequest.
Ajax and Mashup Security Recommended Best Practices
(no content yet)
Ajax and Mashup Security Tools
Vulnerability Checking Tools
- Fortify Software: static source-code analyzer, available at http://www.fortifysoftware.com/
- Klocwork: http://www.klocwork.com
- Microsoft: "Anti-Cross Site Scripting Library", available at http://download.microsoft.com; Microsoft internal web security tools, available from Microsoft SWIAT team.
- Microsoft: SPI Dynamics "DevInspect" and "SecureObjects" for Microsoft "Visual Studio 2005", available at http://www.spidynamics.com.
- Nikto (CIRT.net): Web server scanner that performs hundreds of checks, available at http://www.cirt.net/code/nikto.shtml
- Ounce: automtated source code vulnerability analysis, available at http://www.ouncelabs.com
- Secure Software: CodeAssure, static source-code analyzer, available at http://securesoftware.com
- Watchfire: AppScan Suite for Web Application Security Testing, available at http://www.watchfire.com/products/appscan/default.aspx.