Browse By Topic

• RSS News Feed
• News Archive
• Opinion
• Features
• Wireless Technology
• Hardware
• Security/Privacy
• Integration/Networking
• Professional Development
• Special Needs Students
• Data Management
• Display/Presentation
• eLearning/Web
• Accountability/Assessment
• Policy/Research
• Funding
• Telecom
• Business Intelligence
• Green

Magazine

• Current Issue
• Archives
• Article Search
• Editorial Calendar
• Editorial Board

Newsletters

• T.H.E. News Update
• Collaboration 2.0
• THE SmartClassroom
• School Security
• Classroom Tools & Tips

Events

• FETC
• Innovative Learning Conf.
• Congress on Content

Subscription Services

• Magazine
• eNewsletters

Resources

• Learning Centers
• White Papers
• Webinars
• RoadMap to the Web
• Education Plaza
• Sylvia Charp Award
• Conference Calendar
• FETC 2008 Vendor Focus
• Podcasts
• School Security
• 21st Century Skills
• Professional Development in Technology
• Dropout Prevention

Marketing

• About Us
• Media Kit
• Press Releases
• PR Guidelines
• Contacts

January 2008 — News

Print this article | Email this article

Click here to receive your FREE subscription to T.H.E. Journal

GWT: Advanced AJAX Security

by Lee Thé

The key is understanding JS variables. Essentially, everything is an object, including primitives and functions, Hoffman said. All global variables and functions are properties of a global object, and the Web browser provides a window into these objects. Hoffman's HOOK JavaScript Monitoring Framework (which a smart hacker could replicate) lets him enumerate the environment and trap on-demand code. It also sidesteps obfuscation by reading from the environment itself.

He also attacked what he calls the myth of the same origin policy, which claims that "same origin restricts" prevent JavaScript from seeing third-party content. In fact, it only does so partially, he said.

Stop JSON Hijacking
Then he discussed JSON hijacking, showing how hackers use remote scripting to read JSON Web services. To defend against this, he said that XMLHttpRequest can see a response and perform operations on it before eval()ing. This frustrates, say, a <SCRIPT SRC> that a hacker might use to point to a JSON Web service and harvest the data that comes back. With this defense, the script is foiled. Then you make the JSON response nonvalid JavaScript. XHR (XMLHttpRequest) removes it, and <SCRIPT SRC> fails.

In general, Hoffman says that if you want to secure AJAX applications you must do six things:

1. Perform authentication/authorization checks on both Web pages and Web services.
2. Group code libraries by function.
3. Validate all input for your application, including HTTP headers, cookies, query string and POST data.
4. Verify data type, length and format.
5. Always use parameterized queries.
6. Always encode output appropriately.

He wound up by touting the new book he coauthored, Ajax Security. He certainly made a case for AJAX developers thinking long and hard about this topic.

READ MORE DAILY NEWS

---

Proposals for articles and tips for news stories, as well as questions and comments about this publication, should be submitted to David Nagel, executive editor, at dnagel@1105media.com.

• « Prev
• 1. 1
  2. 2
  3. 3