DOCSLIB.ORG

Ajax Security Is a Remarkably Rigorous and Thorough Examination of an Underexplored Subject

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Ajax Security Is a Remarkably Rigorous and Thorough Examination of an Underexplored Subject “Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book—or be able to explain why they don’t.” Jesse James Garrett “Finally, a book that collects and presents the various Ajax security concerns in an understandable format! So many people have hopped onto the Ajax bandwagon without considering the secu- rity ramifications; now those people need to read this book and revisit their applications to address the various security short- comings pointed out by the authors.” Jeff Forristal “If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.” Andrew van der Stock, Executive Director, OWASP “Web technologies like Ajax are creating new networked business structures that remove the sources of friction in the new econ- omy. Regrettably, hackers work to compromise this evolution by capitalizing on the weaknesses in this technology and those who develop it. Until now, few books told the whole Ajax security story, educating those using or planning to use this technology. This one does.” Managing Partner, Trellum Technologies This page intentionally left blank Ajax Security This page intentionally left blank Ajax Security Billy Hoffman and Bryan Sullivan Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was Editor-in-Chief aware of a trademark claim, the designations have been printed with initial capital letters or Karen Gettman in all capitals. Acquisitions Editor The authors and publisher have taken care in the preparation of this book, but make no Jessica Goldstein expressed or implied warranty of any kind and assume no responsibility for errors or Development Editor omissions. No liability is assumed for incidental or consequential damages in connection Sheri Cain with or arising out of the use of the information or programs contained herein. Managing Editor The publisher offers excellent discounts on this book when ordered in quantity for bulk Gina Kanouse purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. Project Editor For more information, please contact: Chelsey Marti U.S. Corporate and Government Sales Copy Editor (800) 382-3419 Harrison Ridge [email protected] Editorial Services For sales outside the United States please contact: Indexer Lisa Stumpf International Sales [email protected] Proofreader Kathy Ruiz Technical Reviewers Trellum Technologies, Inc. Jeff Forristal Joe Stagner Vinnie Liu Editorial Assistant Romny French Cover Designer Alan Clements Composition Jake McFarland Visit us on the Web: www.prenhallprofessional.com Library of Congress Cataloging-in-Publication Data: Hoffman, Billy, 1980- Ajax security / Billy Hoffman and Bryan Sullivan. p. cm. ISBN 0-321-49193-9 (pbk. : alk. paper) 1. Ajax (Web site development technology) 2. Computer networks—Security measures. 3. Computer security. I. Sullivan, Bryan, 1974- II. Title. TK5105.8885.A52H62 2007 005.8—dc22 2007037191 Copyright © 2008 Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671 3447 ISBN-13: 978-0-321-49193-0 ISBN-10: 0-321-49193-9 Text printed in the United States on recycled paper at R.R. Donnelly in Crawfordsville, IN. First printing December 2007 This book is dedicated to my wife Jill. I am lucky beyond words to be married to such an intelligent, beautiful, and caring woman. Love you Sexy. For Amy. I can’t imagine living without your love and support. This page intentionally left blank Contents Preface xvii Preface (The Real One) xvix Chapter 1 Introduction to Ajax Security 1 An Ajax Primer 2 What Is Ajax? 2 Asynchronous 3 JavaScript 6 XML 11 Dynamic HTML (DHTML) 11 The Ajax Architecture Shift 11 Thick-Client Architecture 12 Thin-Client Architecture 13 Ajax: The Goldilocks of Architecture 15 A Security Perspective: Thick-Client Applications 16 A Security Perspective: Thin-Client Applications 17 A Security Perspective: Ajax Applications 18 A Perfect Storm of Vulnerabilities 19 Increased Complexity, Transparency, and Size 19 Sociological Issues 22 Ajax Applications: Attractive and Strategic Targets 23 Conclusions 24 Chapter 2 The Heist 25 Eve 25 Hacking HighTechVacations.net 26 ix CONTENTS Hacking the Coupon System 26 Attacking Client-Side Data Binding 32 Attacking the Ajax API 36 A Theft in the Night 42 Chapter 3 Web Attacks 45 The Basic Attack Categories 45 Resource Enumeration 46 Parameter Manipulation 50 Other Attacks 75 Cross-Site Request Forgery (CSRF) 75 Phishing 76 Denial-of-Service (DoS) 77 Protecting Web Applications from Resource Enumeration and Parameter Manipulation 77 Secure Sockets Layer 78 Conclusions 78 Chapter 4 Ajax Attack Surface 81 Understanding the Attack Surface 81 Traditional Web Application Attack Surface 83 Form Inputs 83 Cookies 84 Headers 85 Hidden Form Inputs 86 Query Parameters 86 Uploaded Files 89 Traditional Web Application Attacks: A Report Card 90 Web Service Attack Surface 92 Web Service Methods 92 Web Service Definitions 94 Ajax Application Attack Surface 94 The Origin of the Ajax Application Attack Surface 96 Best of Both Worlds—for the Hacker 98 Proper Input Validation 98 The Problem with Blacklisting and Other Specific Fixes 99 Treating the Symptoms Instead of the Disease 102 Whitelist Input Validation 105 x CONTENTS Regular Expressions 109 Additional Thoughts on Input Validation 109 Validating Rich User Input 111 Validating Markup Languages 111 Validating Binary Files 113 Validating JavaScript Source Code 114 Validating Serialized Data 120 The Myth of User-Supplied Content 122 Conclusion 123 Chapter 5 Ajax Code Complexity 125 Multiple Languages and Architectures 125 Array Indexing 126 String Operations 128 Code Comments 129 Someone Else’s Problem 130 JavaScript Quirks 132 Interpreted, Not Compiled 132 Weakly Typed 133 Asynchronicity 135 Race Conditions 135 Deadlocks and the Dining Philosophers Problem 139 Client-Side Synchronization 144 Be Careful Whose Advice You Take 144 Conclusions 145 Chapter 6 Transparency in Ajax Applications 147 Black Boxes Versus White Boxes 147 Example: MyLocalWeatherForecast.com 150 Example: MyLocalWeatherForecast.com “Ajaxified” 152 Comparison Conclusions 156 The Web Application as an API 156 Data Types and Method Signatures 158 Specific Security Mistakes 158 Improper Authorization 159 Overly Granular Server API 161 Session State Stored in JavaScript 164 Sensitive Data Revealed to Users 165 xi CONTENTS Comments and Documentation Included in Client-Side Code 166 Data Transformation Performed on the Client 167 Security through Obscurity 172 Obfuscation 173 Conclusions 174 Chapter 7 Hijacking Ajax Applications 175 Hijacking Ajax Frameworks 176 Accidental Function Clobbering 176 Function Clobbering for Fun and Profit 178 Hijacking On-Demand Ajax 184 Hijacking JSON APIs 190 Hijacking Object Literals 195 Root of JSON Hijacking 195 Defending Against JSON Hijacking 196 Conclusions 199 Chapter 8 Attacking Client-Side Storage 201 Overview of Client-Side Storage Systems 201 General Client-Side Storage Security 202 HTTP Cookies 204 Cookie Access Control Rules 206 Storage Capacity of HTTP Cookies 211 Lifetime of Cookies 215 Additional Cookie Storage Security Notes 216 Cookie Storage Summary 216 Flash Local Shared Objects 218 Flash Local Shared Objects Summary 225 DOM Storage 226 Session Storage 227 Global Storage 229 The Devilish Details of DOM Storage 231 DOM Storage Security 233 DOM Storage Summary 234 Internet Explorer userData 235 Security Summary 240 xii CONTENTS General Client-Side Storage Attacks and Defenses 240 Cross-Domain Attacks 241 Cross-Directory Attacks 242 Cross-Port Attacks 243 Conclusions 243 Chapter 9 Offline Ajax Applications 245 Offline Ajax Applications 245 Google Gears 247 Native Security Features and Shortcomings of Google Gears 248 Exploiting WorkerPool 251 LocalServer Data Disclosure and Poisoning 253 Directly Accessing the Google Gears Database 257 SQL Injection and Google Gears 258 How Dangerous Is Client-Side SQL Injection? 262 Dojo.Offline 264 Keeping the Key Safe 265 Keeping the Data Safe 266 Good Passwords Make for Good Keys 267 Client-Side Input Validation Becomes Relevant 268 Other Approaches to Offline Applications 270 Conclusions 270 Chapter 10 Request Origin Issues 273 Robots, Spiders, Browsers, and Other Creepy Crawlers 273 “Hello! My Name Is Firefox. I Enjoy Chunked Encoding, PDFs, and Long Walks on the Beach.” 275 Request Origin Uncertainty and JavaScript 276 Ajax Requests from the Web Server’s Point of View 276 Yourself, or Someone Like You 280 Sending HTTP Requests with JavaScript
Load more

Recommended publications
  • Ajax for Dummies (2006).Pdf
    01_785970 ffirs.qxp 1/20/06 10:51 AM Page iii Ajax FOR DUMmIES‰ by Steve Holzner, PhD 01_785970 ffirs.qxp 1/20/06 10:51 AM Page ii 01_785970 ffirs.qxp 1/20/06 10:51 AM Page i Ajax FOR DUMmIES‰ 01_785970 ffirs.qxp 1/20/06 10:51 AM Page ii 01_785970 ffirs.qxp 1/20/06 10:51 AM Page iii Ajax FOR DUMmIES‰ by Steve Holzner, PhD 01_785970 ffirs.qxp 1/20/06 10:51 AM Page iv Ajax For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2006 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit- ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc.
    [Show full text]
  • Copyrighted Material
    15_043067 bindex.qxd 6/15/06 7:38 PM Page 330 INDEX accessing XML on server, 172–173 A downloading and installing, 170–171, 176 absolute positioning, 288–289 downloading XML data, 174–175 add function, 40–41 stripping out whitespace, 172, 173, 174 addition function for XML data extraction, 82–83 URL encoding, 171 addition operator (+) (JavaScript), 40, 44, 45 alert boxes Ajax (Asynchronous JavaScript + XML). See also Ajax display by JavaScript function, 30–31 XMLHttpRequest frameworks; object displaying, 28–29 advantages, 2, 3, 62 displaying text from text fields, 37 attributes, 29, 262–263 aligning text in CSS, 278–279 downloading JavaScript, 94–95 AND logical operator (JavaScript), 53 event attributes, 29 anonymous JavaScript functions, 68 example of data Submit and fetch, 4–5 Apache Tomcat Java-based server, 231 XMLHttpRequest importance of object, 62 Apple Safari, 63 server-side scripts and PHP used with, 76–77 arguments, passing to functions, 38–39 Ajax frameworks arithmetic operators (JavaScript), 45 ! caution: importance of files and placement, 152 assignment operators (JavaScript), 44, 45 resultXML ! caution: naming global variable “ ”, 171, 175 asynchronous versus synchronous requests, ! caution: on use of global variables, 155, 159 178, 180 advantages, 152–153 attributes (Ajax), 29, 262–263 Ajax tag library, 236–239 autocomplete capability AJAXLib Ajax framework, 170–175 example demonstration site, 8–9 browser-based versus server-side, 152 support for, in Ajax tag library, 236–237 downloadable and free, 182 installing and allowing
    [Show full text]
  • Unintended Consequences: Twelve Years Under the DMCA
    Unintended Consequences: Twelve Years under the DMCA By Fred Von Lohmann, [email protected] February 2010 ELECTRONIC FRONTIER FOUNDATION eff.org Unintended Consequences: Twelve Years under the DMCA This document collects reported cases where the anti-circumvention provisions of the DMCA have been invoked not against pirates, but against consumers, scientists, and legitimate compet- itors. It will be updated from time to time as additional cases come to light. The latest version can always be obtained at www.eff.org. 1. Executive Summary Since they were enacted in 1998, the “anti-circumvention” provisions of the Digital Millennium Copyright Act (“DMCA”), codified in section 1201 of the Copyright Act, have not been used as Congress envisioned. Congress meant to stop copyright infringers from defeating anti-piracy protections added to copyrighted works and to ban the “black box” devices intended for that purpose. 1 In practice, the anti-circumvention provisions have been used to stifle a wide array of legitimate activities, rather than to stop copyright infringement. As a result, the DMCA has developed into a serious threat to several important public policy priorities: The DMCA Chills Free Expression and Scientific Research. Experience with section 1201 demonstrates that it is being used to stifle free speech and scientific research. The lawsuit against 2600 magazine, threats against Princeton Profes- sor Edward Felten’s team of researchers, and prosecution of Russian programmer Dmitry Sklyarov have chilled the legitimate activities of journalists, publishers, scientists, stu- dents, program¬mers, and members of the public. The DMCA Jeopardizes Fair Use. By banning all acts of circumvention, and all technologies and tools that can be used for circumvention, the DMCA grants to copyright owners the power to unilaterally elimi- nate the public’s fair use rights.
    [Show full text]
  • Integrating AJAX Approach Into GIS Visualization Web Services
    Integrating AJAX Approach into GIS Visualization Web Services Ahmet Sayar1, 2, *, Marlon Pierce1 and Geoffrey Fox 1, 2, 3, 4 1 Community Grids Lab, Indiana University, Bloomington, Indiana, 47404, USA 2Department of Computer Science, Indiana University 3Department of Physics, Indiana University 4School of Informatics, Indiana University {asayar, mpierce, gcf}@cs.indiana.edu Abstract XML and HTTP as AJAX does. Since AJAX and Web Services are XML based structures they are able to As the Web platform continues to mature, we see an leverage each others strength. increasing number of amazing technologies that take Geographic Information Systems (GIS) visualization In this paper, we first give some background applications to new levels of power and usability. By information about the web technologies we have been integrating new powerful technologies into GIS using in our proposed architecture. These are basically systems, we get higher performance results with AJAX, Web Services, and GIS Web Services. In additional functionalities. The most recent Section 3 we mention some related works about the development capturing the attention of the browser AJAX and Web Services. In Section 4 we first give a based application developers is AJAX (Asynchronous generic architecture for integration of any Web JavaScript and XML). In this paper we present a Services and AJAX. Then, we give sample usage generic and performance efficient framework for scenarios to prove our integration concepts; one of integrating AJAX models into the browser based GIS them is for Google and GIS Data Server (WFS) Visualization Web Services systems. integration and the other one is for Google and GIS Mapping Server (WMS) integration.
    [Show full text]
  • TECHNIQUE Men’S Lacrosse Defeats #15 Students Place in National “The South’S Liveliest College Newspaper” Ranked Auburn
    Friday, April 18, 2003 Taking down the Tigers! Making paper airplanes! Tech TECHNIQUE Men’s Lacrosse defeats #15 students place in national “The South’s Liveliest College Newspaper” ranked Auburn. paper gliding competition. ONLINE http://cyberbuzz.gatech.edu/technique SPORTS page 29 FOCUS page 13 Serving Georgia Tech since 1911 • Volume 88, Issue 31 • 32 pages Opinions␣ 6 · Wall Street Journal · Focus␣ 13 · Entertainment␣ 19 · Comics␣ 24 · Sports␣ 32 Sharing Opinions on the War in Iraq BuzzCard maker silences student By Tim Cailloux CampusWide to Tech, served Hoff- Senior News Photographer man with a temporary restraining order that kept him from giving his At a computer security confer- presentation. ence last weekend, Billy Hoffman, Hoffman planned to present in- a fourth year CS major, planned to formation on the network protocol present his research on Campus- used by the BuzzCard readers and Wide, the network the BuzzCard demonstrate his version of a reader system uses. that could be used as any other nor- Hoffman began researching ways mal reader connected to the the system could be circumnavigat- BuzzCard network. ed nearly two years ago. His research Along with Virgil Griffith, an led to the discovery that it is possi- Alabama University at New Col- ble to fool the system into thinking lege student, Hoffman explored the that a real BuzzCard was used when protocol used by the BuzzCard read- in fact, one was not. This flaw would, ers to see how it worked and what for example, allow someone to get information was being transmitted. free laundry service. The readers send all data to the cen- When the number of sexual as- tral server via a communications stan- saults on campus increased, Hoff- dard known as RS-485; in other man started investigating how the words, the data is sent across the By Scott Meuleners / STUDENT PUBLICATIONS system could be used to gain unau- campus local area network via a spe- College Republicans chair Alexander Brunk voices his opinion at a war in Iraq teach-in last Friday.
    [Show full text]
  • Mastering Ajax, Part 1: Introduction to Ajax Understanding Ajax, a Productive Approach to Building Web Sites, and How It Works
    Mastering Ajax, Part 1: Introduction to Ajax Understanding Ajax, a productive approach to building Web sites, and how it works Skill Level: Introductory Brett McLaughlin ([email protected]) Author and Editor O'Reilly Media Inc. 06 Dec 2005 Ajax, which consists of HTML, JavaScript™ technology, DHTML, and DOM, is an outstanding approach that helps you transform clunky Web interfaces into interactive Ajax applications. The author, an Ajax expert, demonstrates how these technologies work together -- from an overview to a detailed look -- to make extremely efficient Web development an easy reality. He also unveils the central concepts of Ajax, including the XMLHttpRequest object. Five years ago, if you didn't know XML, you were the ugly duckling whom nobody talked to. Eighteen months ago, Ruby came into the limelight and programmers who didn't know what was going on with Ruby weren't welcome at the water cooler. Today, if you want to get into the latest technology rage, Ajax is where it's at. However, Ajax is far more than just a fad; it's a powerful approach to building Web sites and it's not nearly as hard to learn as an entire new language. Before I dig into what Ajax is, though, let's spend just a few moments understanding what Ajax does. When you write an application today, you have two basic choices: • Desktop applications • Web applications These are both familiar; desktop applications usually come on a CD (or sometimes are downloaded from a Web site) and install completely on your computer. They Introduction to Ajax © Copyright IBM Corporation 1994, 2008.
    [Show full text]
  • Submission Result in Legal Action Under the DCMA
    Unintended Consequences: Five Years under the DMCA protect its monopoly on Playstation video 1. Executive Summary game consoles, as well as their Since they were enacted in 1998, the “anti- “regionalization” system limiting users in circumvention” provisions of the Digital Millennium one country from playing games Copyright Act (“DMCA”), codified in section 1201 legitimately purchased in another. of the Copyright Act, have not been used as Congress Section 1201 Becomes All-Purpose Ban on envisioned. Congress meant to stop copyright pirates Access To Computer Networks from defeating anti-piracy protections added to copyrighted works, and to ban “black box” devices Further, section 1201 has been misused as a intended for that purpose.1 new general-purpose prohibition on computer network access which, unlike the In practice, the anti-circumvention provisions have several federal “anti-hacking” statutes that been used to stifle a wide array of legitimate already protect computer network owners activities, rather than to stop copyright piracy. As a from unauthorized intrusions, lacks any result, the DMCA has developed into a serious threat financial harm threshold. Disgruntled ex- to several important public policy priorities: employer Pearl Investment’s use of the Section 1201 Chills Free Expression and DMCA against a contract programmer who Scientific Research. connected to the company’s computer system through a password-protected Virtual Experience with section 1201 demonstrates Private Network illustrates the potential for that it is being used to stifle free speech and unscrupulous persons to misuse the DMCA scientific research. The lawsuit against 2600 to achieve what would not be possible under magazine, threats against Princeton existing computer access regulation regimes.
    [Show full text]
  • The Hacker's Aegis
    Emory Law Journal Volume 60 Issue 5 2010 The Hacker's Aegis Derek E. Bambauer Oliver Day Follow this and additional works at: https://scholarlycommons.law.emory.edu/elj Recommended Citation Derek E. Bambauer & Oliver Day, The Hacker's Aegis, 60 Emory L. J. 1051 (2010). Available at: https://scholarlycommons.law.emory.edu/elj/vol60/iss5/1 This Article is brought to you for free and open access by the Journals at Emory Law Scholarly Commons. It has been accepted for inclusion in Emory Law Journal by an authorized editor of Emory Law Scholarly Commons. For more information, please contact [email protected]. BAMBAUER&DAY GALLEYSFINAL 6/6/2011 10:27 AM THE HACKER’S AEGIS Derek E. Bambauer* ∗∗ Oliver Day ABSTRACT Intellectual property (IP) law stifles critical research on software security vulnerabilities, placing computer users at risk. Researchers who discover flaws often face IP-based legal threats if they reveal findings to anyone other than the software vendor. This Article argues that the interplay between law and vulnerability data challenges existing scholarship on how intellectual property law should regulate information about improvements on protected works, and suggests weakening, not enhancing, IP protections where infringement is difficult to detect, lucrative, and creates significant negative externalities. It proposes a set of three reforms—“patches,” in software terms—to protect security research. Legal reform would create immunity from civil IP liability for researchers who follow “responsible disclosure” rules. Linguistic reform would seek to make the term hacker less threatening either by recapturing the term’s original meaning, or abandoning it.
    [Show full text]
  • The Web 2.0 Demystified – Six Theses on a Misinterpreted Concept
    Chapter 4 – Applications and Impacts The Web 2.0 Demystified – Six Theses on a Misinterpreted Concept H.D.Hofmann1 and M.H.Knahl2 1University of Cooperative Education, Mannheim, Germany 2Centre for Information Security and Network Research, University of Plymouth, United Kingdom e-mail: [email protected], [email protected] Abstract The Web 2.0 was said to bring real innovation, new concepts, and new applications to the Web. The role of a user is upgraded by changing his passive role of information consumer to the role of somebody producing and consuming information at the same time ("prosumer"). In our paper, we discuss the major aspects of the concept Web 2.0 and draw conclusions from our findings by means of theses. It is argued that technologies used with Web 2.0 do not represent an innovative factor. We discuss technical aspects such as technologies and programming interfaces as well as usability aspects and business aspects of Web 2.0 applications and give an outlook to future developments and new concepts used on the Web. Based on the derived theses it is proposed that the Web 3.0 will bring new concepts and applications to the web rather than the Web 2.0. Keywords Web 2.0, Web 3.0, Internet Applications, AJAX 1. Web 2.0 - old wine in new skins? The past 10-15 have seen a rapid development and adoption of Internet services. Business managers have been enthused but also alarmed by a rapidly proliferating series of developments to the internet and web based services that alter consumer behaviour and have the potential to transform business models (Cassidy, 2002; Tapscott and Williams, 2007).
    [Show full text]
  • Using Ajax with PHP and Sajax How the Simple Ajax Toolkit Can Integrate Your Server-Side PHP with Javascript
    Using Ajax with PHP and Sajax How the Simple Ajax Toolkit can integrate your server-side PHP with JavaScript Skill Level: Intermediate Tyler Anderson ([email protected]) Freelance Writer Stexar Corp. 18 Oct 2005 Updated 05 Jul 2006 For years, the goal of creating a truly responsive Web application was hampered by one simple fact of Web development: To change the information on part of a page, a user must reload the entire page. Not anymore. Thanks to asynchronous JavaScript and XML (Ajax), we can now request new content from the server and change just part of a page. This tutorial explains how to use Ajax with PHP and introduces the Simple Ajax Toolkit (Sajax), a tool written in PHP that lets you integrate server-side PHP with JavaScript that makes this work. Section 1. Before you start This tutorial is for those interested in developing rich Web applications that dynamically update content using asynchronous JavaScript and XML (Ajax) with PHP, without having to refresh entire Web pages with each user click. This tutorial assumes basic PHP concepts, including the use of if and switch statements, and functions. About this tutorial Using Ajax with PHP and Sajax © Copyright IBM Corporation 1994, 2008. All rights reserved. Page 1 of 25 developerWorks® ibm.com/developerWorks You will learn about Ajax, as well as issues surrounding its usage. You will also build an Ajax application in PHP that will display panels of a section of a previously written tutorial. Clicking on a panel link will reload only the content section and replace it with the content of the selected panel, saving bandwidth and time loading the page.
    [Show full text]
  • FASTER, HIGHER, FARTHER Eb 2.0 Isn’T Only About the User Experience
    COVER STORY AJAX Programming websites with AJAX FASTER, HIGHER, FARTHER eb 2.0 isn’t only about the user experience. Several important new developer tools are Walso helping to create faster and more effi- cient websites. One of the most important features of the new Internet is a technology known as AJAX. On the old Internet, if you filled out a web form with several input fields and sent it to the server, you were expected to wait while the server evaluated your input and responded with a new page (Figure 1). An AJAX- based website provides a more elegant solution. In- stead of re-requesting the whole page, the web browser simply requests a small fragment of the page. The user continues to work as the request if filled by the server, and the browser goes on to merge the data with the ex- isting page. In the user’s experience, the website is al- most as fast as a desktop application. The name AJAX was coined by Jesse James Garrett [1] in his essay “AJAX: A New Approach to Web Appli- cations.” Although Garrett maintains that AJAX is not an acronym, most people take as a shortcut for Asyn- chronous Javascript and XML. AJAX websites are not built from static HTML files (and CSS stylesheets), but are, instead, comprised of Javascript code that runs when a user clicks a link or triggers some other kind of event. Javascript functions request data from the server, AJAX offers a fast and efficient approach for building which returns the XML (this explains the X) and HTML- interactive websites.
    [Show full text]
  • Pexy: the Other Side of Exploit Kits
    PExy: The other side of Exploit Kits Giancarlo De Maio*, Alexandros Kapravelos, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna University of Salerno* [email protected] UC Santa Barbara fkapravel,yans,chris,[email protected] Abstract. The drive-by download scene has changed dramatically in the last few years. What was a disorganized ad-hoc generation of mali- cious pages by individuals has evolved into sophisticated, easily extensi- ble frameworks that incorporate multiple exploits at the same time and are highly configurable. We are now dealing with exploit kits. In this paper we focus on the server-side part of drive-by downloads by automatically analyzing the source code of multiple exploit kits. We discover through static analysis what checks exploit-kit authors perform on the server to decide which exploit is served to which client and we automatically generate the configurations to extract all possible exploits from every exploit kit. We also examine the source code of exploit kits and look for interesting coding practices, their detection mitigation tech- niques, the similarities between them and the rise of Exploit-as-a-Service through a highly customizable design. Our results indicate that even with a perfect drive-by download analyzer it is not trivial to trigger the ex- pected behavior from an exploit kit so that it is classified appropriately as malicious. 1 Introduction Over the last few years, the web has grown to be the primary vector for the spread of malware. The attacks that spread malware are carried out by cybercriminals by exploiting security vulnerabilities in web browsers and web browser plugins.
    [Show full text]