Table Of ContentSecuring Ajax Applications
Other resources from O’Reilly
Related titles 802.11 Security SSH, The Secure Shell: The
Computer Security Basics Definitive Guide
Java™ Security Web Security, Privacy, and
Linux Security Cookbook™ Commerce
Building Secure Servers with
Network Security with
Linux
OpenSSL
Ajax and Web Services
Secure Coding: Principles &
Practices Head Rush Ajax
Securing Windows NT/2000 RESTful Web Services
Servers for the Internet
oreilly.com oreilly.com is more than a complete catalog of O’Reilly books.
You’llalsofindlinkstonews,events,articles,weblogs,sample
chapters, and code examples.
oreillynet.comistheessentialportalfordevelopersinterestedin
openandemergingtechnologies,includingnewplatforms,pro-
gramming languages, and operating systems.
Conferences O’Reillybringsdiverseinnovatorstogethertonurturetheideas
thatsparkrevolutionaryindustries.Wespecializeindocument-
ing the latest tools and systems, translating the innovator’s
knowledgeintousefulskillsforthoseinthetrenches.Visitcon-
ferences.oreilly.com for our upcoming events.
Safari Bookshelf (safari.oreilly.com) is the premier online refer-
ence library for programmers and IT professionals. Conduct
searchesacrossmorethan1,000books.Subscriberscanzeroin
on answers to time-critical questions in a matter of seconds.
Read the books on your Bookshelf from cover to cover or sim-
ply flip to the page you need. Try it today for free.
Securing Ajax Applications
Christopher Wells
Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo
Securing Ajax Applications
by Christopher Wells
Copyright © 2007 Christopher Wells. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (safari.oreilly.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 orcorporate@oreilly.com.
Editor: Tatiana Apandi Cover Designer: Karen Montogmery
Production Editor: Mary Brady Interior Designer: David Futato
Production Services: Tolman Creek Design Illustrators: RobertRomanoandJessamynRead
Printing History:
July 2007: First Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc.Securing Ajax Applications, the image of a spotted hyena, and related trade dress
are trademarks of O’Reilly Media, Inc.
Manyofthedesignationsusedbymanufacturersandsellerstodistinguishtheirproductsareclaimedas
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthorassume
no responsibility for errors or omissions, or for damages resulting from the use of the information
contained herein.
This book uses RepKover™, a durable and flexible lay-flat binding.
ISBN-10: 0-596-52931-7
ISBN-13: 978-0-596-52931-4
[M]
To Jennafer, my honey, and Maggie, my bit of
honey:
you two are what make life so sweet.
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
1. The Evolving Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Rise of the Web 2
2. Web Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Security Basics 29
Risk Analysis 37
Common Web Application Vulnerabilities 40
3. Securing Web Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
How Web Sites Communicate 56
Browser Security 61
Browser Plug-ins, Extensions, and Add-ons 76
4. Protecting the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Network Security 100
Host Security 103
Web Server Hardening 121
Application Server Hardening 128
5. A Weak Foundation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
HTTP Vulnerabilities 131
The Threats 136
JSON 143
XML 146
RSS 148
Atom 149
REST 152
vii
6. Securing Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Web Services Overview 156
Security and Web Services 167
Web Service Security 172
7. Building Secure APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Building Your Own APIs 174
Preconditions 179
Postconditions 180
Invariants 180
Security Concerns 181
RESTful Web Services 183
8. Mashups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Web Applications and Open Internet APIs 191
Wild Web 2.0 192
Mashups and Security 194
Open Versus Secure 198
A Security Blanket 199
Case Studies 201
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
viii | Table of Contents
Preface
1
Deciding to add security to a web application is like deciding whether to wear
clothes in the morning. Both decisions provide comfort and protection throughout
theday,andinbothcasesthedecisionsarebettermadebeforehandratherthanlater.
Justlookaroundandaskyourself,“HowopendoIreallywanttobewithmyneigh-
bors?” Or, “How open do I really want them to be with me?”
It’s all about sharing. With web sites sharing data via open APIs, web services, and
other new technologies we are experiencing the veritable Woodstock of the digital
age. Free love now takes the form of free content and services. Make mashups, not
web pages! All right, so let’s get down to business.
Believe it, or not, there is security in openness. Look at the United States govern-
ment,forexample.TheopennessoftheU.S.governmentalsystemiswhathelpskeep
it secure. Maybe that can work for us, too! Repeat after me:
We,theprogrammers,inordertobuildamoreperfectWeb;toestablishpresenceand
ensure server stability; provide for the common Web; promote general security; for
ourselves and our posterity; do ordain and establish this constitution…
Sadly,itisnotquitethateasy—orisit?Checksandbalancesmakegovernmentswork.
There are layers of cooperation and defense. Each layer provides defense in depth.
Webapplicationsecurityisaseriousbusiness.Allwebapplicationsareorwillbevul-
nerable to some form of attack. The thing to remember is that most people are good,
andsecurityisimplementedtothwartthosewhoarenot.So,thechancesofyourappli-
cation getting attacked are proportional to the number of bad apples out there.
Audience
This book is for programmers on the front lines looking for a solid resource to help
them protect their applications from harm. It is also for the developer or architect
interested in sharing or consuming content in a safe way.
ix
Description:Java™ Security. Linux Security Cookbook™. Network Security with. OpenSSL. Secure Coding: Principles &. Practices. Securing Windows NT/2000 .. whose book, Linux Server Security: Tools and. Best Practices for Bastion Hosts (O'Reilly), has served as a great inspiration (if you run Linux, read it).
