ebook img

Securing Ajax Applications Christopher Wells PDF

251 Pages·2007·3.37 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Securing Ajax Applications Christopher Wells

Securing Ajax Applications Other resources from O’Reilly Related titles 802.11 Security SSH, The Secure Shell: The Computer Security Basics Definitive Guide Java™ Security Web Security, Privacy, and Linux Security Cookbook™ Commerce Building Secure Servers with Network Security with Linux OpenSSL Ajax and Web Services Secure Coding: Principles & Practices Head Rush Ajax Securing Windows NT/2000 RESTful Web Services Servers for the Internet oreilly.com oreilly.com is more than a complete catalog of O’Reilly books. You’llalsofindlinkstonews,events,articles,weblogs,sample chapters, and code examples. oreillynet.comistheessentialportalfordevelopersinterestedin openandemergingtechnologies,includingnewplatforms,pro- gramming languages, and operating systems. Conferences O’Reillybringsdiverseinnovatorstogethertonurturetheideas thatsparkrevolutionaryindustries.Wespecializeindocument- ing the latest tools and systems, translating the innovator’s knowledgeintousefulskillsforthoseinthetrenches.Visitcon- ferences.oreilly.com for our upcoming events. Safari Bookshelf (safari.oreilly.com) is the premier online refer- ence library for programmers and IT professionals. Conduct searchesacrossmorethan1,000books.Subscriberscanzeroin on answers to time-critical questions in a matter of seconds. Read the books on your Bookshelf from cover to cover or sim- ply flip to the page you need. Try it today for free. Securing Ajax Applications Christopher Wells Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Securing Ajax Applications by Christopher Wells Copyright © 2007 Christopher Wells. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 [email protected]. Editor: Tatiana Apandi Cover Designer: Karen Montogmery Production Editor: Mary Brady Interior Designer: David Futato Production Services: Tolman Creek Design Illustrators: RobertRomanoandJessamynRead Printing History: July 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc.Securing Ajax Applications, the image of a spotted hyena, and related trade dress are trademarks of O’Reilly Media, Inc. Manyofthedesignationsusedbymanufacturersandsellerstodistinguishtheirproductsareclaimedas trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthorassume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. This book uses RepKover™, a durable and flexible lay-flat binding. ISBN-10: 0-596-52931-7 ISBN-13: 978-0-596-52931-4 [M] To Jennafer, my honey, and Maggie, my bit of honey: you two are what make life so sweet. Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. The Evolving Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Rise of the Web 2 2. Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Security Basics 29 Risk Analysis 37 Common Web Application Vulnerabilities 40 3. Securing Web Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 How Web Sites Communicate 56 Browser Security 61 Browser Plug-ins, Extensions, and Add-ons 76 4. Protecting the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Network Security 100 Host Security 103 Web Server Hardening 121 Application Server Hardening 128 5. A Weak Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 HTTP Vulnerabilities 131 The Threats 136 JSON 143 XML 146 RSS 148 Atom 149 REST 152 vii 6. Securing Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Web Services Overview 156 Security and Web Services 167 Web Service Security 172 7. Building Secure APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Building Your Own APIs 174 Preconditions 179 Postconditions 180 Invariants 180 Security Concerns 181 RESTful Web Services 183 8. Mashups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Web Applications and Open Internet APIs 191 Wild Web 2.0 192 Mashups and Security 194 Open Versus Secure 198 A Security Blanket 199 Case Studies 201 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 viii | Table of Contents Preface 1 Deciding to add security to a web application is like deciding whether to wear clothes in the morning. Both decisions provide comfort and protection throughout theday,andinbothcasesthedecisionsarebettermadebeforehandratherthanlater. Justlookaroundandaskyourself,“HowopendoIreallywanttobewithmyneigh- bors?” Or, “How open do I really want them to be with me?” It’s all about sharing. With web sites sharing data via open APIs, web services, and other new technologies we are experiencing the veritable Woodstock of the digital age. Free love now takes the form of free content and services. Make mashups, not web pages! All right, so let’s get down to business. Believe it, or not, there is security in openness. Look at the United States govern- ment,forexample.TheopennessoftheU.S.governmentalsystemiswhathelpskeep it secure. Maybe that can work for us, too! Repeat after me: We,theprogrammers,inordertobuildamoreperfectWeb;toestablishpresenceand ensure server stability; provide for the common Web; promote general security; for ourselves and our posterity; do ordain and establish this constitution… Sadly,itisnotquitethateasy—orisit?Checksandbalancesmakegovernmentswork. There are layers of cooperation and defense. Each layer provides defense in depth. Webapplicationsecurityisaseriousbusiness.Allwebapplicationsareorwillbevul- nerable to some form of attack. The thing to remember is that most people are good, andsecurityisimplementedtothwartthosewhoarenot.So,thechancesofyourappli- cation getting attacked are proportional to the number of bad apples out there. Audience This book is for programmers on the front lines looking for a solid resource to help them protect their applications from harm. It is also for the developer or architect interested in sharing or consuming content in a safe way. ix

Description:
Java™ Security. Linux Security Cookbook™. Network Security with. OpenSSL. Secure Coding: Principles &. Practices. Securing Windows NT/2000 .. whose book, Linux Server Security: Tools and. Best Practices for Bastion Hosts (O'Reilly), has served as a great inspiration (if you run Linux, read it).
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.