Cross Site Script or XSS is one of the popular methods for attacking not only to Ajax based websites but almost any other website that accepts user inputs. Even before Ajax was conceptualized, this attack was already practiced by different hackers. There was one hack that was used in 2005 wherein MySpace.com was targeted. It uses a simple JavaScript function that could be embedded in user’s website and others. Once they view the webpage, the “My Hero” link is changed to the name of the hacker. It is practically a pyramid hack since anyone who sees the profile became the host of the hack. The code was actually posted by the builder of the hack in possible reparation for what he did. It is just a simple JavaScript that could be embedded in any website. It just does not hack any information, it practically takes over every function it wants to.

Here are some practices that will prevent future attacks using XSS.

1. Filtering Input

One of the main reasons why some of the websites experience this type of attack is that it does not screen anything that comes from outside sources. You may notice that YouTube and other blogging sites limit the functions to simple HTML tags such as bold, italic and even simple changes and animations. Sometimes there are sites that allow JavaScript functions to be part of the posting. Once this is admitted, everything could be taken over by attacker. Although the attacker may need to create another function to be able to completely control the program, all they need are simple functions that could access and extract different information from users. When you are able to filter inputs, you practically won’t allow anyone to post outside the allowed tags.

2. Disabling Functions

This security measures has its pros and cons. Its most obvious advantage is that it does not allow anything outside what you have specified. You can disable any functions related to JavaScript, Flash, Java or any other functions from performing anything in your program. However its disadvantage comes from the fact that you cannot possibly run anything yourself when you are preventing it from happening. If you are just running a simple forum then there is no problem about the site disabling other functions. However, when you are talking about user generated videos or music and codes; you will be crippling your own operation.

3. Convert Incoming Functions to HTML

If you cannot live with the incoming functions, here is a simple trick: convert all incoming tags and posts to HTML. Every JavaScript functionality has an HTML counterpart so there is a great probability that each function will work but not as an intrusive script but a helpful function as it is rendered in HTML. If the attack is not cloaked and comes in as an intrusion straight up, it will not be able to function at all. Here are some websites that actually provides a code on how to convert a function to HTML:

1. http://hp.jpsband.org/
2. http://daringfireball.net/projects/markdown/
3. http://textism.com/tools/textile/

Among the three, the last one is a perfect solution to any JavaScript function. If the library could be properly installed, it will work seamlessly without any concern of attacks.

Posted by MixedSoup | 1 Comment »

Stop with the enforced e-mail forwards already! Trying to force or bribe people to forward your info to a friends or family in order to be rewarded or win looks skanky in today’s ultra-permission-based world. Especially when you tell visitors nothing about their friend’s or family’s privacy in the space directly next to the e-mail form.

A true viral campaign gets forwarded because consumers are compelled to do so by the glory of the content, not because you bribed them with points or something else.

What absolutely will not work:

Suggesting that e-mail recipients forward your message to their friends and family will not work. Adding a line at the bottom of your e-mail that reads “Please feel free to forward this message to a friend” is more likely to get it deleted than forwarded.

What absolutely will work:

Offering something worthy of sharing like a valuable discount, vital information or offering an incentive for sharing like additional entries into a sweepstakes or an added discount or premium service will work.

Relevant or timely information, research, or studies that are included in your e-mail might encourage the recipients to share with their family and friends. Interactive content like a quiz or test, especially if it’s fun, will inspire forwarding.

Jokes and cartoons are almost always forwarded to everybody the recipient knows.  Why?  Because they are entertaining and entertainment is meant to be shared.

A really cool multimedia experience is always going to achieve a lot of pass-along. Rich media is new and the novelty and tech factors alone are often enough to make the e-mail recipient eager to share it.

Oops!  Almost forgot one really important thing….You can craft a brilliant e-mail following all the rules, but if a consumer visits your site and has an experience less that what was promised, you are going to achieve viral marketing, alright…the bad kind.  So be certain that your product or service is ready and is as advertised.

Posted by MixedSoup | No Comments »

A Record:
An ‘A record’ is part of the zone file. It is used to point Internet traffic to an IP address. For example, you can use an ‘A record’ to designate abc.yourdomain.com to send traffic to your website at IP address 209.15.32.135. You can also designate xyz.yourdomain.com to go to a separate IP address.

DNS:
The Domain Name System (DNS) helps users to find their way around the Internet. Every computer on the Internet has a unique address – just like a telephone number – which is a rather complicated string of numbers. It is called its ‘IP address’ (IP stands for ‘Internet Protocol’). IP Addresses are hard to remember. The DNS makes using the Internet easier by allowing a familiar string of letters (the ‘domain name’) to be used instead of the arcane IP address. So instead of typing 207.151.159.3, you can type www.internic.net. It is a ‘mnemonic’ device that makes addresses easier to remember.

Domain Name:
A domain name, such as MixedSoup.com, signifies your own address on the Internet. As no two parties may ever hold identical domain names, it is truly a unique identifier of you or your company. It is how your customers will remember you and find you among the millions of other websites on the Internet.

Domain Name Registration:
To own your preferred domain name, you need to register it on the Internet. This paid service is offered by several websites, who register your domain name, provided it is not taken-up yet by anyone else. When you register a domain name, you are inserting an entry into a directory of all the domain names and their corresponding computers on the Internet.

Domain Name Servers:
A server that retains the addresses and routing information for TCP/IP LAN users.

Domain Name Transfer:
At times, domains are sold to another organization or sometimes the name of a company might change. Most registries require a letter of permission from the old owner to hand over control to the new owner. The procedures for Transfer of ownership will depend on the registry.

Domain Lock:
This facility helps to keep your domain secure from disgruntled ex-employees and hackers. Once you activate Domain Lock, no changes to your domain is permitted. Your domain has unlocked by you before the domain can change hosting, contacts, registrants or even transfer out to another registrar.

The Domain Lock section is password-protected, meaning only the authorized user can access this section. The username and password to the account is not enough. It asks the user additional queries like “what’s your mother’s maiden name?”; “your pet’s name is…” and so on. Facts that only you know.

Email Auto-responder:
An auto-responder is a mailbox which automatically sends a pre-formatted response message to senders. For example, if you have an info@domain.com mailbox that receives information queries from your customers, you can configure the mailbox to immediately send a pre-formatted information message to the sender of each incoming mail. For instance, “Thanks for writing in. We shall reply to you within 2 business days”.

Email Alias:
An email alias is one or more additional names that direct mail to an email address. For example, if your email address is sales@domain.com, then you may choose to create aliases like salesenquiry@domain.com and prospects@domain.com, which can be programmed to deliver all mail to a single email address – sales@domain.com.

Email Forwarding:
Having email automatically sent (forwarded) from one (or more) email address, to another (possibly more than one) email address that you specify. If a person has ‘unlimited email forwarding’, then an email of the form, anything@domain.com will be sent to the forwarding address. For example, support@domain.com, partner@domain.com and sales@domain, will all be sent to the account (some hosts allow you to have these sent to different accounts) specified to be sent to.

FQDN (Fully Qualified Domain Name):
Consists of a host and domain name, including the top-level domain. For example, www.MixedSoup.com is a FQDN – www is the host, MixedSoup is the second-level domain, and .com is the top level domain.

ICANN:
Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit corporation that is assuming responsibility from the U.S. Government for coordinating certain Internet technical functions, including the management of Internet domain name system. More information about ICANN can be found at http://www.icann.org.

MX Record:
MX (Mail Exchange) record is part of the zone file and is used to designate which mail server machine should process email for a specific domain.

Registrant:
The individual or organization that registers a specific domain name with a registrar. This individual or organization holds the right to use that specific domain name for a specified period of time, provided certain conditions are met and the registration fees are paid. This person or organization is the ‘legal entity’ bound by the terms of the Domain Name Registration Agreement with the registrar.

Registry:
An Internet domain name registry is an entity that receives domain name service (DNS) information from domain name registrars, inserts that information into a centralized database and propagates the information in Internet zone files on the Internet so that domain names can be found by users around the world via applications such as the world wide web and email.

Registry Registrar Protocol (RRP):
A protocol for the registration and management of second level domain names and associated name servers in both Top Level Domains (TLDs) and country code Top Level Domains (ccTLDs). This protocol was developed by the VeriSign registry for use within the Shared Registration System. RRP is a TCP-based, 7-bit US-ASCII text protocol that permits multiple registrars to provide second level Internet domain name registration services in the top level domains (TLDs) administered by a TLD registry.

Second Level Domain Name:
It is that portion of the domain name that appears immediately to the left of the top-level domain. For example, the ‘MixedSoup‘ in ‘MixedSoup.com‘. Second level domain names are used to represent businesses and other commercial concerns on the Internet.

URL (Uniform Resource Locator):
The web address, or location, of a website, file, or resource on the Internet (e.g. http://www.MixedSoup.com/ is a URL).

Zone File:
Files residing on a nameserver that designate a domain name, its subdomains, the IP address(s), and mail server. Parts of the zone file include the ‘A record’, CNAME, and MX records.

Posted by MixedSoup | 1 Comment »

Search Engine Optimization is a process of choosing the most appropriate targeted keyword phrases related to your site and ensuring that this ranks your site highly in search engines so that when someone searches for specific phrases it returns your site on tops. It basically involves fine tuning the content of your site along with the HTML and Meta tags and also involves appropriate link building process. The most popular search engines are Google, Yahoo, MSN Search, AOL and Ask Jeeves. Search engines keep their methods and ranking algorithms secret, to get credit for finding the most valuable search-results and to deter spam pages from clogging those results. A search engine may use hundreds of factors while ranking the listings where the factors themselves and the weight each carries may change continually. Algorithms can differ so widely that a webpage that ranks #1 in a particular search engine could rank #200 in another search engine. New sites need not be “submitted” to search engines to be listed. A simple link from a well established site will get the search engines to visit the new site and begin to spider its contents. It can take a few days to even weeks from the referring of a link from such an established site for all the main search engine spiders to commence visiting and indexing the new site.

If you are unable to research and choose keywords and work on your own search engine ranking, you may want to hire someone to work with you on these issues.

Search engine marketing and promotion companies, will look at the plan for your site and make recommendations to increase your search engine ranking and website traffic. If you wish, they will also provide ongoing consultation and reporting to monitor your website and make recommendations for editing and improvements to keep your site traffic flow and your search engine ranking high. Normally your search engine optimization experts work with your web designer to build an integrated plan right away so that all aspects of design are considered at the same time.

Posted by MixedSoup | No Comments »

Introduction

Ajax is the acronym for Asynchronous JavaScript and XML. It incorporates a suite of technologies aimed at improving user experience with web pages. It also allows programs written in different programming languages on different browsers to communicate with each other. Translation, communication and function between web applications happens remotely and, ideally, instantaneously. Another primary aim of Ajax is to reduce user delay when interacting with web pages. Ajax frameworks and technological components allow web applications to function on an as-need basis without requiring the re-loading of the entire web page.
Therefore, updates and functions don’t’ require human interaction nor does the user have to wait while requests are being processed. Ajax, ultimately, aims to produce Rich Internet Applications (RIAs). It allows web content to be re-loaded incrementally without changing web content. This single page interface increases user interactivity.
When Ajax became consolidated as a technique in 2005, it did so around much media hype. This article will describe Ajax methodologies that created that hype and outline some Ajax disadvantages.

Background and Components

Jesse James Garret defined in a 2005 article entitled “Ajax: A New Approach to Web Applications.” Its programming style incorporated a variety of open web standards. Open web standards are useful because they encourage application competitiveness and interoperability. This is good news for the user because it means that the most customized solution will be found for users’ needs.
Ajax functions through the collaboration of various technologies. A familiarity with the basic building blocks of Ajax will help in any discussion of its disadvantages. Ajax uses a combination of XHTML (Extensible Hypertext Markup Language), CSS (Cascading Style Sheets), JavaScript, and XML. XHTML provides a standardized markup language for web pages. It allows for designers to customize tags for the communication of data and the execution of requests between applications. In the case of Ajax, this occurs remotely through a web browser.
CSS enables web page styling and formatting. JavaScript is supported by both Microsoft and Netscape browser making it useful across many platforms and operating systems. It provides a standardized scripting language that is particularly useful for web programming development because it is easier and faster to write. XML formats transferred data between the client and server making it easily readable between the two. These files are dynamically generated through server-side scripting.

Disadvantages

When Ajax emerged as a methodology, it did so around considerable media hype. Ajax was positioned to revolutionize web development in the same way the “dot.com” boom did in the early 90’s. However, Ajax is often seen as just the re-using of existing technologies that programmers were using anyway. Also, some of the interfaces, while providing the convenience of a single page, were confusing and difficult to navigate. Another glitch in Ajax occurs because of limitations in browser integration. Ajax creates dynamic web pages, tailored to user specifications.
However, because the data and format in these pages needs to be so specific, the web page cannot connect with the browser history engine. This results in inconveniences and delays in searching. For example, because of this lack in browser integration, clicking on “back” to return to a previous page or search might not be allowed on a user’s browser. Dynamic web page updates, which are part and parcel of Ajax technology, also make bookmarking difficult. Because web pages are automatically updated, when a user returns to a page it might not contain the desired information. Another concern when using Ajax is respond time lag.
There might be a lag, for example, when the web page interface loads because of pre-loaded data and having to handle request objects properly. Visually, this could mean that different segments of the page interface are loaded at different times, creating confusion. When using Ajax, websites must also to take care to link their information to a public URL because some search engines aren’t equipped for Ajax. This stems from another Ajax disadvantage. Ajax reliance on JavaScript, which isn’t used by some search engines, means that web sites constructed through Ajax will require testing on several browsers for compatibility. This is because JavaScript can be installed differently on different browsers. Its ability for customization can also make it incompatible with other browsers.

Search for Solutions

However, in keeping with Ajax’s spirit of innovation, many solutions to these problems have been implemented. For example, using invisible IFRAMES allows the retrieval of history data. URL fragment identifiers let users bookmark and return to a particular state of an application. It also supports back-button functions. Microsoft’s development of Ajax Extensions includes an Update Progress function that lets the user know a page is being updated. This reduces user confusion in lag time. Ajax products continue to reconfigure themselves and re-combine with newer technologies to improve web user experiences.

Posted by MixedSoup | No Comments »