原始链接:
http://www.maxkiesler.com/index. ... urity_24_tutorials/For the most part AJAX does not significantly increase the security vulnerabilities in most web applications. However, javascript, XML and asynchronous server calls do have potential holes if not properly implemented. If you're an application developer or security professional there are things to watch out for with AJAX applications. If you're new to AJAX there are many hazards to watch out for, and tutorials and examples are one of the worst culprits for security vulnerabilities. Before you start downloading examples and making them live on your server you should learn a bit about security first. Below, you'll find a list of tutorials, examples, and articles that will detail many of the security implications of using AJAX..
As always special thanks to all of the hard work done by the developers and security professionals who have taken there time to make all of this great information publicly accessible. Also if you know of other great resources or tutorials pertaining to AJAX please use my comments section on this article to add to the overall list. Thanks!
Ajax and Information SecurityAjax is a relatively new technology for security engineers to attempt to protect. Since the adoption rate of Ajax is starting to get bigger, security personnel should start looking at the technology now to see how best to protect the company in regards to using the new technology. Of course all the standard web application security structures should still be in place, but if the development or business teams wants to use Ajax, it brings along its own special issues along the way that security personnel need to know about.
AJAX and Secure Web CommunicationsImagine, if you will, combining the Ajax model as articulated by Garrett with maturing XML security standards in order to meet ever increasing security and privacy needs. With encryption and signature services, and key management and/or client side authentication services embedded in the Ajax Engine layer, combined with identity management and access control on the server side, one can envision a powerful new class of secure web communications. And authentication could be handled through a PKI-based mechanism, kerberos, or something else.
Ajax Security: Container Managed SecurityAjax - Asynchronous JavaScript and XML clearly is in the focus of software development. Strongly associated with the new Web 2.0 term, Ajax today is everbody's darling. Inspired by the promise and the developer uptake of Ajax, I thought on doing a reality check on one of my favorite pets: container managed security, authentication in particular. There are a couple of issues that just don't work well with container managed security
AJAX: Is your application secureSome web-enabled applications, such as for email, do have pretty destructive functionality that could possibly be abused. The question is will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?
Ajax MistakesAjax is an awesome technology that is driving a new generation of web apps, from maps.google.com to colr.org to backpackit.com. But Ajax is also a dangerous technology for web developers, its power introduces a huge amount of UI problems as well as server side state problems and server load problems.
AJAX Security BasicsAjax is considered the next step in a progression towards the trumpeted, "Web 2.0." The purpose of this article is to introduce some of the security implications with modern Ajax web technologies. Though Ajax applications can be more difficult to test, security professionals already have most of relevant approaches and tools needed.
AJAX SecurityWeb developers cannot have failed to notice the excitement surrounding AJAX or Asynchronous JavaScript And XML. The ability to create intelligent web sites such as Google Suggest or compelling web-based applications such as Gmail is thanks in no small part to this technology. There is, however, a darker side - and accompanying the growth in AJAX applications we have noticed an equally significant growth in security flaws, with the potential to turn AJAX-enabled sites into a time bomb.
AJAX Security Threats and Performance ChallengesForum Systems has issued an alert for AJAX-related security threats and performance issues. AJAX transforms a user's Web browser into a Web services portal, thus exposing it to potentially corrupted data that can cause the browser to crash or perform poorly; malformed messages can disrupt server performance due to excessive parsing and exception handling.
Cenzic Extends Support for AJAX Security Assesment ApplicationsCenzic announced that its automated vulnerability assessment solutions now offer full support for testing Web applications built using AJAX (Asynchronous JavaScript and XML) software development technology. AJAX support in Cenzic Hailstorm and ClickToSecure enables customers to take advantage of this application development technique to develop smoother, more responsive and intuitive applications without the associated vulnerabilities which have left AJAX-based applications increasingly susceptible to security threats.
Cross-Domain Ajax. Security Implications in DepthSome people think we should remove the "same-domain" restriction from Ajax calls, and Eric Pascarello and xml.com (amongst others) don't. I don't think we've got to the bottom of the debate yet.
Cross-site scriptingCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which can be used by an attacker to compromise the same origin policy of client-side scripting languages.
Day-to-Day: Ajax SecurityIt's hard to talk about Ajax without talking about security. Or more precisely, just about every customer who wants to talk seriously about using Ajax wants to talk about security.
Debunking Strong Misconceptions About Cross-Domain Ajax Security IssuesQuite a number of people have been discussing possible cross-domain Ajax security issues recently. These are smart people that generally know their technologies very well, but for some reason are missing some fundamental aspects about Ajax.
Eric Pascarello dissects Ajax security vulnerabilitiesWhen people look at Ajax they see this XMLHttpRequest object performing magic on a Web page and they think that this can lead to major security flaws. When we do a simple view source on the page, we see the page we are calling, the parameters that are being sent. Anyone with any basic knowledge of JavaScript can easily inject scripts onto the page and change the request object to send other data. So yes, it is open to attack, but it is not anything to be afraid of.
Google, MSN, Flickr... struck by security holeTens of thousands of companies including AOL, Google, Microsoft and Yahoo are likely to be affected by the flaw in CPAINT - a toolkit used to create applications using an approach known as AJAX - short for Asynchronous JavaScript and XML. Rather than a technology in itself, AJAX is an approach to putting more dynamic interactivity into Web applications using a combination of HTML, CSS, Document Object Model, JavaScript, and XMLHttpRequest.
Informal Thoughts on AJAX and SecurityI
