From MemberWiki

Contents 1 Introductory topics 1.1 Basic Information about Ajax 1.2 Web Security Basics 2 High-Level Articles on Ajax and Mashup Security 2.1 Generic Ajax Security Issues 3 Articles on Specific Security Topics 3.1 Cross-Site Request Forgery (CSRF) 3.2 Information about JSON and the threats 3.3 Attack Vectors 3.4 Attacks to the HttpOnly Cookies 4 Ajax and Mashup Security Recommended Best Practices 5 Ajax and Mashup Security Tools 5.1 Vulnerability Checking Tools 5.2 Server-side Security Products (Intrusion Detection/Prevention, Appliances)

Introductory topics

Basic Information about Ajax

• adaptive path >> Ajax: A New Approach to Web Applications" by Jesse James Garrett, February 18, 2005.
• Ajax and XML: Five common Ajax patterns (Jack D. Herrington,developerWorks, March 2007): Explore easy-to-use, real-life Ajax design patterns.
• Mastering Ajaxseries (Brett McLaughlin, developerWorks, December 2005 - March 2007): In Parts 1 through 10, delve deep into Ajax, JSON, and other Web 2.0 data formats. It's a great staring point to explore Web 2.0 development.

Web Security Basics

• W3C Security Home
• The XMLHttpRequest Object (W3C Working Draft, 18 June 2007): A draft specification defining the XMLHttpRequest API that provides scripted client functionality for transferring data between a client and a server.
• Enabling Read Access for Web Resources (W3C Working Draft 18 June 2007): A draft specification defining a mechanism to selectively provide cross-site access to a web resource, either by an HTTP header or an XML processing instruction.
• The Same Origin Policy: Read Jesse Ruderman's description of the same-origin policy.
• Open Web Application Security Project (OWASP): Find materials to learn more about security issues of Web applications.
• Web Application Security Consortium: Find uself tools and information about security issues of Web applications.

High-Level Articles on Ajax and Mashup Security

Generic Ajax Security Issues

• Top 10 Ajax Security Holes and Driving Factors (Shreeraj Shah, Help Net Security, November 2006): Learn the most common pitfalls Web 2.0 developers can encounter during their designs.
• Ajax Security Basics (Jaswinder S. Hayre and Jayasankar Kelath, SecurityFocus, June 2006): Read how Ajax enlarges the attack surface and complicates vulnerability assessment.
• Shaping the future of secure Ajax mashups (Brent Ashley, April 03, 2007): Describes how to improve the browser for hybrid Web applications.

Articles on Specific Security Topics

Cross-Site Request Forgery (CSRF)

• Cross-site Request Forgery: from Wikipedia.
• Cross-Site Request Forgery: from owasp.org.
• SESSION RIDING - A Widespread Vulnerability in Today's Web Applications, by Thomas Schreiber, SecureNet GmbH, Dec 2004.
• Cross Site Reference Forgery - An introduction to a common web application weakness, by Jesse Burns, Information Security Partners, LLC, Version 1.1, 2005.
• Digger's Blog, How to defeat digg.com ... an introduction to session riding, Tuesday, June 06, 2006.
• GNUCITIZEN, "Persistent CSRF and the Hotlink Hell", April 16, 2007.
• Operation n, a hacker's diary, "Hotlinks and Persistent CSRF - leech the leech", April 16 2007.

Information about JSON and the threats

• JSON.org: Find an introduction to JSON and links to the JSON implementations in different programming languages.
• RFC 4627: The application/json Media Type for JavaScript Object Notation (JSON) (D. Crockford, JSON.org, July 2006): Read an IETF memo describing the JSON format in great detail.
• robubu - the technical weblog of Rob Yates: Read about basic security issues of JSON.
• Remote JSON - JSONP (Bob Ippolito, December 2005): In this blog post, examine a method to fetch cross-domain data by using the dynamic script tag and JSON.
• JavaScript Hijacking (Brian Chess, Yekaterina Tsipenyuk O'Neil, Jacob West, March 12, 2007): Read more details about JSON Hijacking.
• Joe Walker's blog for the array constructor overriding and the setter overriding

Attack Vectors

• Ha.ckers.org: Cross Site Scripting Cheat Sheet
• JS.Yamanner@m: Visit the Symantec Web site for the technical details of the Yamanner worm.
• Technical explanation of The MySpace Worm: Get the technical details of the MySpace worm.
• XSSed - XSS (cross-site scripting) information and vulnerable websites archive: Web site with articles on XSS attacks, including technical explanations of attacks that have happened to well-known Web sites

Attacks to the HttpOnly Cookies

• Cross-Site Tracing (XST) Whitepaper (Jeremiah Grossman, 1/20/2003)
• Description of XST variants (Amit Klein, January 2003)
• Blog at ha.ckers.org describes an attack to HttpOnly cookies by XMLHttpRequest.

Ajax and Mashup Security Recommended Best Practices

(no content yet)

Ajax and Mashup Security Tools

Vulnerability Checking Tools

• Fortify Software: static source-code analyzer, available at http://www.fortifysoftware.com/
• Klocwork: http://www.klocwork.com
• Microsoft: "Anti-Cross Site Scripting Library", available at http://download.microsoft.com; Microsoft internal web security tools, available from Microsoft SWIAT team.
• Microsoft: SPI Dynamics "DevInspect" and "SecureObjects" for Microsoft "Visual Studio 2005", available at http://www.spidynamics.com.
• Nikto (CIRT.net): Web server scanner that performs hundreds of checks, available at http://www.cirt.net/code/nikto.shtml
• Ounce: automtated source code vulnerability analysis, available at http://www.ouncelabs.com
• Secure Software: CodeAssure, static source-code analyzer, available at http://securesoftware.com
• Watchfire: AppScan Suite for Web Application Security Testing, available at http://www.watchfire.com/products/appscan/default.aspx.

Server-side Security Products (Intrusion Detection/Prevention, Appliances)

• IBM: ISS Proventia Network Intrusion Prevention System, available at http://www.iss.net/products/index.html
• Layer7 Technologies: XML Appliance for SOA and Web 2.0, available at http://www.layer7tech.com/