“Ajax Securityis a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book—or be able to explain why they don’t.” Jesse James Garrett “Finally,a book that collects and presents the various Ajax security concerns in an understandable format! So many people have hopped onto the Ajax bandwagon without considering the secu- rity ramifications; now those people need to read this book and revisit their applications to address the various security short- comings pointed out by the authors.” JeffForristal “If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.” Andrew van der Stock,Executive Director,OWASP “Web technologies like Ajax are creating new networked business structures that remove the sources of friction in the new econ- omy. Regrettably, hackers work to compromise this evolution by capitalizing on the weaknesses in this technology and those who develop it. Until now, few books told the whole Ajax security story, educating those using or planning to use this technology. This one does.” Managing Partner,Trellum Technologies This page intentionally left blank Ajax Security This page intentionally left blank Ajax Security Billy Hoffman and Bryan Sullivan Upper Saddle River,NJ • Boston• Indianapolis • San Francisco New York • Toronto •Montreal • London •Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City Many ofthe designations used by manufacturers and sellers to distinguish their products are claimed as trademarks.Where those designations appear in this book,and the publisher was Editor-in-Chief aware ofa trademark claim,the designations have been printed with initial capital letters or Karen Gettman in all capitals. Acquisitions Editor The authors and publisher have taken care in the preparation ofthis book,but make no Jessica Goldstein expressed or implied warranty ofany kind and assume no responsibility for errors or Development Editor omissions.No liability is assumed for incidental or consequential damages in connection Sheri Cain with or arising out ofthe use ofthe information or programs contained herein. Managing Editor The publisher offers excellent discounts on this book when ordered in quantity for bulk Gina Kanouse purchases or special sales,which may include electronic versions and/or custom covers and content particular to your business,training goals,marketing focus,and branding interests. Project Editor For more information,please contact: Chelsey Marti U.S.Corporate and Government Sales Copy Editor (800) 382-3419 Harrison Ridge [email protected] Editorial Services For sales outside the United States please contact: Indexer Lisa Stumpf International Sales [email protected] Proofreader Kathy Ruiz Technical Reviewers Trellum Technologies,Inc. JeffForristal Joe Stagner Vinnie Liu Editorial Assistant Romny French Cover Designer Alan Clements Composition Jake McFarland Visit us on the Web:www.prenhallprofessional.com Library ofCongress Cataloging-in-Publication Data: Hoffman,Billy,1980- Ajax security / Billy Hoffman and Bryan Sullivan. p.cm. ISBN 0-321-49193-9 (pbk.:alk.paper) 1.Ajax (Web site development technology) 2.Computer networks—Security measures. 3.Computer security. I.Sullivan,Bryan,1974- II.Title. TK5105.8885.A52H62 2007 005.8—dc22 2007037191 Copyright © 2008 Pearson Education,Inc. All rights reserved.Printed in the United States ofAmerica.This publication is protected by copyright,and permission must be obtained from the publisher prior to any prohibited reproduction,storage in a retrieval system,or transmission in any form or by any means,electronic,mechanical,photocopying,recording,or likewise.For information regarding permissions,write to: Pearson Education,Inc Rights and Contracts Department 501 Boylston Street,Suite 900 Boston,MA 02116 Fax (617) 671 3447 ISBN-13:978-0-321-49193-0 ISBN-10:0-321-49193-9 Text printed in the United States on recycled paper at R.R.Donnelly in Crawfordsville,IN. First printing December 2007 This book is dedicated to my wife Jill.I am lucky beyond words to be married to such an intelligent,beautiful,and caring woman.Love you Sexy. For Amy.I can’t imagine living without your love and support. This page intentionally left blank Contents Preface xvii Preface (The Real One) xvix Chapter 1 Introduction to Ajax Security 1 An Ajax Primer 2 What Is Ajax? 2 Asynchronous 3 JavaScript 6 XML 11 Dynamic HTML (DHTML) 11 The Ajax Architecture Shift 11 Thick-Client Architecture 12 Thin-Client Architecture 13 Ajax:The Goldilocks ofArchitecture 15 A Security Perspective:Thick-Client Applications 16 A Security Perspective:Thin-Client Applications 17 A Security Perspective:Ajax Applications 18 A Perfect Storm ofVulnerabilities 19 Increased Complexity,Transparency,and Size 19 Sociological Issues 22 Ajax Applications:Attractive and Strategic Targets 23 Conclusions 24 Chapter 2 The Heist 25 Eve 25 Hacking HighTechVacations.net 26 ix