Main Menu

• Categories

  • Advanced Topic
  • API for Java
  • Core Java
  • Database Programming
  • Getting Started
  • Java Developement Tools
  • Java Enterprise Edition
  • Java FrameWorks
  • Java Server Pages
  • Misc
  • Training Resource

• Recently Written

  • Dream of life to the public information system
  • Jsp used for direct download files function
  • Done with a calendar marking
  • Oreilly upload source components
  • In the web application configuration HSQL database
  • String paging code
  • JSP and interactive data JavaScirpt
  • Java file operations Daquan 3: attributes of a document
  • Carp Forum
  • Java file operations Daquan 5: directory listed in the document

• Search

• Archives

  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • June 2006
  • May 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • September 2005
  • August 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005

• Blogroll

  • Java Programming Resources
  • Java Technology
  • java.net

• Meta

  • Login
  • Valid XHTML

AJAX really unsafe?

  Author: cleverpig 




  Disclaimer: Matrix authorized access to any site, reproduced, make sure to keep the following information and links to the author Author: cleverpig 
  Original: http://www.matrix.org.cn/resource/article/2007-02-07/a5f2d5c6-b677-11db-82df-078095a5dcde.html 
  Keyword: AJAX, security, XSS, CSRF, loopholes 

  Foreword 

  Recently the network popular AJAX and security risks around the clamor of the people incessantly.    This hot new technology has been showered applications in various web applications (such as construction of Gmail, Google Maps these web-based applications), but in the halo of its hottest hidden behind a dark ghosts - is to harbor malicious AJAX The hacker opened the back door.    But this does not entirely correct.    Exactly, almost all the veteran web application development and security experts are trying to have crossed cynical-teasing, touch on the truth: the majority of web sites are unsafe, but AJAX is not the culprit.    Although AJAX web site can not become any security, but understand what it can do is very important. 

  AJAX (Asynchronous JavaScript + XML) is a web browser technology clusters, which allows web page content and the rapid updating need to refresh the page.    AJAX in the use of the web pages behind the data (usually formatted as XML, but it can also be a HTML, JavaScript, and other formats) in the web server and client transmission back and forth between the browser.    For example, during the scene in Gmail applications, the new e-mail message is automatically receive and display.    Google Maps application in the scene, users can drag the mouse through the way in the neighbourhood on the map shuttling between roaming.    This implementation of asynchronous data transmission mechanism is embedded in a web browser all modern internal, as XMLHTTPRequest (XHR) software library.    XHR is the web site was "AJAX" trademark of the key.    On the other hand, it also has some "brainstorms" JavaScript. 

  If you are thinking this is what relations and security, then you are correct.    AJAX technology to sites with the smooth user interaction, and to bring more user response.    And on the web server does not have any change, and it should focus on safety in the web server.    If this is true, then each of us also consider what?    In the computer security community, AJAX means that the large number of plane attack (attack surface), increases the complexity of the forged requests, denial of service, cross-site scripting (XSS), dependent on client safety.    In fact, these problems before they arise in AJAX already exist.    And recommended to the safety of the development of best practice from the emergence of AJAX has not been changed.    If you like me, would like to know in the end what is important, then please let us conduct an in-depth discussion. 

  Log interpretation 

  Cross-site scripting (XSS): XSS is a frequent in the web application of computer security vulnerabilities, which allows malicious code into web users will be available to other users to use the page.    For example, the code including HTML code and client-side script.    The attack used XSS vulnerability across the access control - such as homologous Strategy (same origin policy).    Recently, this type of loophole being used to prepare the greater danger phishing attacks and the use of web browser vulnerabilities. 

  Same Origin Policy: computer terminology.    Here translated as "homologous strategy."    It was the client-side script (especially the JavaScript) on the important security metrics.    It first came from Netscape Navigator2.0.    After Navigator2.01 after the amendment and Navigator2.02 perfect.    The aim is to prevent a document or script different from the "origin" (Source) loading.    Here the word "origin" means the use of domain names, protocol, port. 

  Cross-site request forgery (CSRF): cross-site request forgery, was also said to become "one click attack" or session riding, better known as CSRF or XSRF, is a malicious use of the site.    Although sounds like cross-site scripting (XSS), but it XSS very different and almost opposite to attacks.    XSS use of the trust of users within the site, and CSRF through camouflage from the trust at the request of users to take advantage of trusted sites.    XSS attacks and compared CSRF attacks are often not very popular (and thus prevent their resources are quite scarce), and difficult to guard against, they were considered more dangerous than XSS. 

  AJAX lead to a large number of "attack plane" - not! 

  "Attack plane" was applied to the system through open attacks point to the analysis of the concept of security measure.    For software, which is the point of being a third party (users) Operating data input and output areas.    Obviously, the less of a relative safety of the plane to safety.    It is also clear that the web application or any application, prepared by the functional point of attack plane with the same amount.    This does not, and whether to adopt AJAX user interface, Flash, ASCII art characters, or any other way related.    AJAX is a browser technology, without the implementation of the server.    AJAX-driven development when exposed to open more function, it may be the introduction of a new "server" loophole - and you can not blame AJAX.    The new code means that the total increase in the risk of loopholes. 

  Further stresses, from my experience, the use of AJAX technology in the web application does not have functional than the traditional standard web application more complicated.    Google Maps is a seemingly simple craigslist than more concise applications.    Gmail also Outlook Web Access more than lightweight.    Moreover, the use of AJAX for Web application design (or redesign) will use the new platform (. NET, J2EE, etc.) will bring more development opportunities.    These platforms born on the more secure and will not show such as SQL injection, the certificate conversation projections (Credential Session Prediction), such as directory traversal generation platform in the common loophole. 

  AJAX to "attack plane" will be more difficult to find?    – Yes, but not 

  No test results of the safety procedures are not complete.    Measurement web site security is the most common way through a simulated attack - tens of thousands of attacks (that is, vulnerability assessment).    Vulnerability assessment can be manually implemented, can also use the automated scanning tools, or both.    In the vulnerability assessment is the first step in the process of positioning web application input points, or "attack plane."    Therefore, a comprehensive vulnerability assessment may need to find all the loopholes. 

  Automation crawl the entire web site, vulnerability assessment mapping link is the standard behavior.    This method worked well for some sites, some other sites are powerless, and the effect of the rest of the former site between.    On the use of a large number JavaScript, Flash, ActiveX, and AJAX Applet terms of the new site, the vulnerability assessment challenge is the link in the site is generated or in the immediate complex client code dynamically generated.    Analysis of these links is very difficult, sometimes almost impossible.    Therefore become automatic scanning of the site inspection AJAX safety of a less reliable method. 

  On the other hand rely on artificial can be relatively easily infer detailed look at the code and the relationship between the code.    Sometimes, JavaScript source code in the web site records all of the output of the region, and even the details of XML web services, of course, not only on the harbor goodwill and useful, but also to feel ill also be useful. 

  In a normal web site, there is no such resources, and vulnerability assessment procedures must rely on links crawl way.    So here are the conclusions: AJAX does not undermine the security of web site, but it makes assessment of the security work is facing more challenges. 

Tags: java ajax

Releated Java Articles

• Ajax simple examples
• JavaOne: JSF evolution? AJAX has come
• Ajax superior to the reasons for the JSF
• Ajax combat
• ZK (Ajax but no JavaScript) is available forget

Comments