Even with all the flaws that we will find in an Ajax based website, there are security measures that we could do to ensure security in our website.

Before we go to different security measures, let us first note one of the biggest problems in an Ajax based website and application: Source Code Availability. Some call it “Overly Granular Server API” referring to the API built from the server which provides little to nothing in terms of security.

Almost every hack that I have seen related to Ajax stems from this security flaw. In simple words, the biggest problem in Ajax is the availability of source code even to regular users.

Developers who follow this practice do this thinking that the code will eventually help regular users in browsing the website. Take for example an Ajax based shopping cart. Instead of having to go through different pages in security and setting up parameters, developers will just place everything in a single page. That exact page will hasten the process of regular user’s shopping. When this process is used, developers have achieved the purpose of the coding it that way.

However, they pay the price of showing the source code of the website. If they are hoping that no one will notice this and use it for bad intentions, they are definitely wrong. The source code is essentially the key to every hack in an Ajax based website. The easier hackers get their hands to the source code, the faster they could attack the system. A source code in an online store is a sitting duck for hackers. They could easily bypass the admin and change the security settings and even the prices so they could easily shop online without any problem – or payment.

To counter this problem, we pose two different security measures:

The first security measure is the way we build our website. We go back to the shopping cart where the price is presented to the online shopper. Hackers could easily see the source code and change the parameters. Instead of presenting the price altogether, it’s always a better practice to divide the information in every page. With that practice you should be able to set specific parameters in every page. That way, every time a new page loads, it should be able to detect changes in any part of the system. Hackers would have to change everything in your website just to hack the price and before they could do that, you already detected the attacks and prevent them.

If ever you will be forced to place the entire transaction in a single page, you should opt for a secured coding practice. Our usual practice is to place comments within the code so that other developers will easily understand the process even though you are not there to explain. Doing that in the source code means suicide when it comes to security. Instead of placing comments right in the website, build another copy of the code with the comments. Although it does not provide that much of a protection, a comment-less web program can help with the website’s security.

Posted by MixedSoup | No Comments »

Introduction

One of the major concerns of information technology (IT) in the present historical moment is making the Web and web applications as efficient as possible. This insures a business’ competitive edge in this era where operating systems and applications are increasingly accessed and/or stored on the Internet. Web applications that can function on a variety of platforms or in a variety of contexts have been difficult to attain. Third-party protocols like Flash or Java’s “applets” have tried to bring more dynamism and user-friendly interactivity to web applications.
Other limitations of using web applications are the frustration and workflow interruptions that come from page-loading delays. However, the technologies encompassed in Ajax (Asynchronous JavaScript and XML) try to enable web applications so they can function quickly and efficiently in a variety of contexts without this lag time.
This article will describe the major technological components of Ajax. A brief outline of these will set the stage for understanding how they work together to enact Ajax methods that make web applications so much more competent and interoperable. Finally, this article will discuss some of the major advantages in the Ajax approach.

Background

Ajax is a form of web development. Jesse James Garret coined the term in 2005. Ajax is not an object, but rather a practice- the working together of several pre-existing technologies. The following are the component technologies that comprise Ajax. XHTML (Extensible Hypertext Markup Language) and CSS (Cascading Style Sheets style web pages and standardize formats for consistent information-sharing over the web. The DOM (Document Object Model) is accessed with a client-side scripting language, like JavaScript.
This allows for information to be presented dynamically and in a manner that allows interaction. XMLHttpRequest objects enable asynchronous data exchange with web servers. XML (Extensible Markup Language) provides the format for transmitting data between server and client. The most important detail for formatting data in Ajax is server-side scripting. Server-side scripting allows user requests to be processed by running the script directly on the server to make dynamic and interactive HTML (Hypertext Markup Language) web pages. It is used to format and present the interface between a web page and a database.
However, Ajax is not a new thing. The technologies that make it up have been around for a while and offer tested and trusted solutions.

Uses

Ajax’s primary contribution to web pages is user-experience improvement. Web pages usually require several applications to function. This can make it seem like a cumbersome operation where users have to wait for the separate applications to refresh before interacting with the complete page. Decreasing user delay, which is a direct result of Ajax techniques, could make the Internet even more popular and pervasive than it already is.
Another advantage of Ajax is a decrease in bandwidth use. Bandwidth in web hosting refers to the amount of data that can be communicated between user and server/website. In Ajax, bandwidth is used only to accomplish specific demands without requiring that the page be re-loaded (which requires bandwidth, every time a request is made. Contents are loaded on demand and HTML is produced locally from the browser. Ajax also allows programmers to separate methods and formatting for specific information delivery functions on the Web.
Programmers can use whatever languages or formats work for their specific goal. For example, raw data, usually obtained in XML from a server-side database is separated from the format or structure of the webpage, which is usually structured in XHTML. This allows for dynamic handling of DOM. CSS use allows for the separating of style elements on the page, like fonts and picture placement. Ajax also separates the functionality of web pages by combining different elements in different ways. For example, JavaScript on the client-side browser is combined with XMLHttp to enable communication between client and server browsers. Then any server-side program or scripting language allows the programmer to quickly respond to client requests in a language and format they are familiar with.

Points of Interest

However, one of the major advantages of Ajax and, indeed, a major trend in other forms of computer programming, is that it is based on open standards. Open standards are supported by a variety of browsers and platforms, giving programmers the accessibility and flexibility to use what they need across browsers.

Posted by MixedSoup | No Comments »

Cross Site Script or XSS is one of the popular methods for attacking not only to Ajax based websites but almost any other website that accepts user inputs. Even before Ajax was conceptualized, this attack was already practiced by different hackers. There was one hack that was used in 2005 wherein MySpace.com was targeted. It uses a simple JavaScript function that could be embedded in user’s website and others. Once they view the webpage, the “My Hero” link is changed to the name of the hacker. It is practically a pyramid hack since anyone who sees the profile became the host of the hack. The code was actually posted by the builder of the hack in possible reparation for what he did. It is just a simple JavaScript that could be embedded in any website. It just does not hack any information, it practically takes over every function it wants to.

Here are some practices that will prevent future attacks using XSS.

1. Filtering Input

One of the main reasons why some of the websites experience this type of attack is that it does not screen anything that comes from outside sources. You may notice that YouTube and other blogging sites limit the functions to simple HTML tags such as bold, italic and even simple changes and animations. Sometimes there are sites that allow JavaScript functions to be part of the posting. Once this is admitted, everything could be taken over by attacker. Although the attacker may need to create another function to be able to completely control the program, all they need are simple functions that could access and extract different information from users. When you are able to filter inputs, you practically won’t allow anyone to post outside the allowed tags.

2. Disabling Functions

This security measures has its pros and cons. Its most obvious advantage is that it does not allow anything outside what you have specified. You can disable any functions related to JavaScript, Flash, Java or any other functions from performing anything in your program. However its disadvantage comes from the fact that you cannot possibly run anything yourself when you are preventing it from happening. If you are just running a simple forum then there is no problem about the site disabling other functions. However, when you are talking about user generated videos or music and codes; you will be crippling your own operation.

3. Convert Incoming Functions to HTML

If you cannot live with the incoming functions, here is a simple trick: convert all incoming tags and posts to HTML. Every JavaScript functionality has an HTML counterpart so there is a great probability that each function will work but not as an intrusive script but a helpful function as it is rendered in HTML. If the attack is not cloaked and comes in as an intrusion straight up, it will not be able to function at all. Here are some websites that actually provides a code on how to convert a function to HTML:

1. http://hp.jpsband.org/
2. http://daringfireball.net/projects/markdown/
3. http://textism.com/tools/textile/

Among the three, the last one is a perfect solution to any JavaScript function. If the library could be properly installed, it will work seamlessly without any concern of attacks.

Posted by MixedSoup | 1 Comment »

Introduction

Ajax is the acronym for Asynchronous JavaScript and XML. It incorporates a suite of technologies aimed at improving user experience with web pages. It also allows programs written in different programming languages on different browsers to communicate with each other. Translation, communication and function between web applications happens remotely and, ideally, instantaneously. Another primary aim of Ajax is to reduce user delay when interacting with web pages. Ajax frameworks and technological components allow web applications to function on an as-need basis without requiring the re-loading of the entire web page.
Therefore, updates and functions don’t’ require human interaction nor does the user have to wait while requests are being processed. Ajax, ultimately, aims to produce Rich Internet Applications (RIAs). It allows web content to be re-loaded incrementally without changing web content. This single page interface increases user interactivity.
When Ajax became consolidated as a technique in 2005, it did so around much media hype. This article will describe Ajax methodologies that created that hype and outline some Ajax disadvantages.

Background and Components

Jesse James Garret defined in a 2005 article entitled “Ajax: A New Approach to Web Applications.” Its programming style incorporated a variety of open web standards. Open web standards are useful because they encourage application competitiveness and interoperability. This is good news for the user because it means that the most customized solution will be found for users’ needs.
Ajax functions through the collaboration of various technologies. A familiarity with the basic building blocks of Ajax will help in any discussion of its disadvantages. Ajax uses a combination of XHTML (Extensible Hypertext Markup Language), CSS (Cascading Style Sheets), JavaScript, and XML. XHTML provides a standardized markup language for web pages. It allows for designers to customize tags for the communication of data and the execution of requests between applications. In the case of Ajax, this occurs remotely through a web browser.
CSS enables web page styling and formatting. JavaScript is supported by both Microsoft and Netscape browser making it useful across many platforms and operating systems. It provides a standardized scripting language that is particularly useful for web programming development because it is easier and faster to write. XML formats transferred data between the client and server making it easily readable between the two. These files are dynamically generated through server-side scripting.

Disadvantages

When Ajax emerged as a methodology, it did so around considerable media hype. Ajax was positioned to revolutionize web development in the same way the “dot.com” boom did in the early 90’s. However, Ajax is often seen as just the re-using of existing technologies that programmers were using anyway. Also, some of the interfaces, while providing the convenience of a single page, were confusing and difficult to navigate. Another glitch in Ajax occurs because of limitations in browser integration. Ajax creates dynamic web pages, tailored to user specifications.
However, because the data and format in these pages needs to be so specific, the web page cannot connect with the browser history engine. This results in inconveniences and delays in searching. For example, because of this lack in browser integration, clicking on “back” to return to a previous page or search might not be allowed on a user’s browser. Dynamic web page updates, which are part and parcel of Ajax technology, also make bookmarking difficult. Because web pages are automatically updated, when a user returns to a page it might not contain the desired information. Another concern when using Ajax is respond time lag.
There might be a lag, for example, when the web page interface loads because of pre-loaded data and having to handle request objects properly. Visually, this could mean that different segments of the page interface are loaded at different times, creating confusion. When using Ajax, websites must also to take care to link their information to a public URL because some search engines aren’t equipped for Ajax. This stems from another Ajax disadvantage. Ajax reliance on JavaScript, which isn’t used by some search engines, means that web sites constructed through Ajax will require testing on several browsers for compatibility. This is because JavaScript can be installed differently on different browsers. Its ability for customization can also make it incompatible with other browsers.

Search for Solutions

However, in keeping with Ajax’s spirit of innovation, many solutions to these problems have been implemented. For example, using invisible IFRAMES allows the retrieval of history data. URL fragment identifiers let users bookmark and return to a particular state of an application. It also supports back-button functions. Microsoft’s development of Ajax Extensions includes an Update Progress function that lets the user know a page is being updated. This reduces user confusion in lag time. Ajax products continue to reconfigure themselves and re-combine with newer technologies to improve web user experiences.

Posted by MixedSoup | No Comments »

In a simple HTML website, developers will always have the luxury of keeping sensitive information to themselves. When you log in to the admin page of the website, the information that you see is solely for those who have proper authorization. Without username and password, hackers will have a really hard time figuring out how to access the information based on what they can extract from the webpage.

On the other hand, an Ajax based website does not have the same luxury. When an Ajax based website performs a function, it is not just the server the sees the source code, everyone will have the ability to see the information. With the source code, hackers can easily go further and go right directly to the server. That even goes to the information that can only be accessed by web administrator. Even without the admin username and password, hackers could easily bypass this authorization requirement and go directly to the information found in the server.

This usually happens when you translate HTML to an Ajax-based website or “Ajaxifying” the webpage. You have to remember an HTML based website is remarkably different compared to an Ajax based website. That means the administrative functions in HTML will not perform like in Ajax. As we have said the source code and basically most of the functions in Ajax is available to the user. Even though they do not have the faint idea of what the user name and password is. So imagine the things they should be able to access – user statistics, personal information and of course credit card information, the hackers favorite information.

If you are thinking what I am thinking, my initial reaction to this problem would be to keep the information hidden by placing the functions and information I am about to access in a non-shared folder. That seemed reasonable since a non-shared folder cannot be accessed by anyone. But I was wrong, way wrong. You see, the non-shared folder is placed in the server which is the exactly the same place hackers are accessing. Do not think that if you keep the folder in an obscure location will keep the hackers from accessing sensitive information. You are just buying time and more often than not, it will never protect any information at all.

So what can you do? Fortunately, there is something that you can do to ensure you that some of these functions cannot be accessed. Each of the function should have an authorization before it could be modified or accessed. It is going to be challenge especially when you have so many functions to deal with. Remember there are so many things that you have to reconfigure that it is going to be really hard to built an authorization one by one. But this is very important considering the vulnerability of your Ajax based website.

The solution to your problem is a very simple but very tiresome. But that is the only price that you have pay if you wanted to create a secure website. Always remember that an HTML does not have the same authorization capacity with an Ajax based website.

Posted by MixedSoup | No Comments »