Comments on: Making your web applications more secure: http://ajaxian.com/archives/making-your-web-applications-more-secure Cleaning up the web with Ajax Thu, 09 Feb 2012 06:55:33 +0000 hourly 1 http://wordpress.org/?v=3.2 By: AbuKhaled http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-247340 AbuKhaled Mon, 19 Feb 2007 07:00:30 +0000 http://ajaxian.com/?p=2078#comment-247340 Good article. I understand SQL Injection and I m currently develop my own application to test it using C#. I do not understand the remaining subjects. Regards, AboKhaled Good article. I understand SQL Injection and I m currently develop my own application to test it using C#.
I do not understand the remaining subjects.
Regards,
AboKhaled

]]> By: Georges http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246840 Georges Fri, 02 Feb 2007 15:53:40 +0000 http://ajaxian.com/?p=2078#comment-246840 Tanks for that enlightmeng Nadav ;) I also read your article on your site. I certainly will implement this level of security in my next project. Tanks for that enlightmeng Nadav ;)

I also read your article on your site. I certainly will implement this level of security in my next project.

]]> By: Nadav Samet http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246837 Nadav Samet Fri, 02 Feb 2007 14:56:23 +0000 http://ajaxian.com/?p=2078#comment-246837 Georges, one way to handle this is that the application will serve the request only if it gets a certain query argument. That value of this argument should be something that only your site can produce and validate, but it will be harder for another site to produce. For instance, it can be a SHA1 of the username and some secret word of your choice. So you can easily validate this on every sensitive request, but remote sites can't produce this value easily. Georges, one way to handle this is that the application will serve the request only if it gets a certain query argument. That value of this argument should be something that only your site can produce and validate, but it will be harder for another site to produce. For instance, it can be a SHA1 of the username and some secret word of your choice.

So you can easily validate this on every sensitive request, but remote sites can’t produce this value easily.

]]> By: Georges http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246836 Georges Fri, 02 Feb 2007 13:37:29 +0000 http://ajaxian.com/?p=2078#comment-246836 @Nadav: Ok, so I missunderstood that sort of attack! But how to stop/detect such attacks? @Nadav: Ok, so I missunderstood that sort of attack! But how to stop/detect such attacks?

]]> By: kourge http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246835 kourge Fri, 02 Feb 2007 10:57:51 +0000 http://ajaxian.com/?p=2078#comment-246835 Ajax.Request if a component of Prototype, not Scriptaculous. Ajax.Request if a component of Prototype, not Scriptaculous.

]]> By: ajaxianfading http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246822 ajaxianfading Fri, 02 Feb 2007 10:28:18 +0000 http://ajaxian.com/?p=2078#comment-246822 Exactly! And - going by the first comment to this post - that's why we need reminders on good practice. Exactly! And – going by the first comment to this post – that’s why we need reminders on good practice.

]]> By: Nadav Samet http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246810 Nadav Samet Fri, 02 Feb 2007 10:09:27 +0000 http://ajaxian.com/?p=2078#comment-246810 George, the client is not the criminal but the victim. He may browse the criminal's website while he is logged in to the bank in another browser window. George, the client is not the criminal but the victim. He may browse the criminal’s website while he is logged in to the bank in another browser window.

]]> By: Georges http://ajaxian.com/archives/making-your-web-applications-more-secure/comment-page-1#comment-246809 Georges Fri, 02 Feb 2007 08:42:36 +0000 http://ajaxian.com/?p=2078#comment-246809 So I do not understand how others are programming their projects using Ajax, but I think that there is a simple way to code secure Ajax apps. Well, just take Ajax-Request like common page requests (for instance browse from one page to antoher within the website). There are always some security methos involved when the request starts. Just like checking GET/POST Data, Session Variables and so on. Now when using these methods within the Ajax-Request, there should not be any trouble with the security of the website compared to to the normal old fashined way!!! In the example above, the scripts inside monthly_statements.js should just make sure that DATA is only sent to clients who have a valid and running session. If the client (in this case the criminal) would not be authenticated and so there should be no data for him!!! So I do not understand how others are programming their projects using Ajax, but I think that there is a simple way to code secure Ajax apps. Well, just take Ajax-Request like common page requests (for instance browse from one page to antoher within the website). There are always some security methos involved when the request starts. Just like checking GET/POST Data, Session Variables and so on.

Now when using these methods within the Ajax-Request, there should not be any trouble with the security of the website compared to to the normal old fashined way!!!

In the example above, the scripts inside monthly_statements.js should just make sure that DATA is only sent to clients who have a valid and running session. If the client (in this case the criminal) would not be authenticated and so there should be no data for him!!!

]]>