Ebook Ajax security: Part 1
➤ Gửi thông báo lỗi ⚠️ Báo cáo tài liệu vi phạmNội dung chi tiết: Ebook Ajax security: Part 1
Ebook Ajax security: Part 1
Attacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1data on the client. Not only is client-side storage easily viewed or modified by an attacker, client-side storage methods can also leak access to these storage spaces to untrusted third parties. This can allow an attacker to remotely read all offline data stored on the client by an Ajax application. Ebook Ajax security: Part 1 Even security-conscious developers who explicitly avoid putting sensitive data in client-side storage systems can inadvertently do so when they use cEbook Ajax security: Part 1
lient-side storage to cache data tables or trees. Only by fully understanding the access methods of each clientside storage method and implementing exAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1 Storage SystemsThe client-side portions of Web applications have been hobbled from fully participating as major components of an application by four roadblocks:•Sufficient penetration of (semi-) standards compliant browsers allowing developers to easily write cross-platform client-side programs•Suf Ebook Ajax security: Part 1ficient penetration of personal computers fast enough to parse and interpret large and complex client-side programs•A means to transmit data back andEbook Ajax security: Part 1
forth between the client and server without interrupting the user's experience201Chapter 8 Attacking Client-Side Storage• A large, persistent data stoAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1b standards matured and Web developers and users pressured the browser manufactures to conform to standards. It is now far easier to write cross-browser JavaScript than in the Web dark ages of the 1990s. Moore’s Law, which states computing power doubles every 18 months, took care of the second requi Ebook Ajax security: Part 1rement. Modern computers run complex interpreted programs inside a browser much faster than before. Remember how long Java applets took to run in theEbook Ajax security: Part 1
mid 1990s on a Pentium 90 with 32MB of RAM? The third requirement was handled by the pillar of Ajax: the XMLHttpRequest object. Ajax applications seamAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1le client-side storage systems.Offline Ajax is a perfect example, offline Ajax allows users to access Web applications without being connected to the Internet. We discuss offline Ajax application in depth in Chapter 9, “Offline Ajax Applications.” However, client-side storage is essential for this c Ebook Ajax security: Part 1apability. The benefits of client-side storage include reducing Ajax traffic by storing data on the client, improving a slow network connection, or peEbook Ajax security: Part 1
rsisting data across domains or browser instances. In this chapter we examine several different client-side storage methods and discuss how to use theAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1into the different implementations for client-side storage, we should examine how long the data is stored on the client. There are two classifications, persistent and nonpersistent, which denote how long data is stored in a system. Nonpersistent data is stored temporarily on the client and is discar Ebook Ajax security: Part 1ded when the user closes the Web browser. Persistent data is stored on the client in a more permanent capacity. It survives if the user closes and reoEbook Ajax security: Part 1
pens the browser, or even if she reboots her machine. Data stored persistently usually has an expiration date. Much like a jug of milk in your fridge,Attacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1portant to know whether the data stored in the system will be stored persistently.General Client-Side Storage SecurityAs we learned in the myth at the start of this chapter, there are several significant security concerns related to storing data on the client. When we examine each method for storing Ebook Ajax security: Part 1 data on the client, readers should keep several questions in mind. Knowing the answers will help you pick the most appropriate and secure client-sideEbook Ajax security: Part 1
storage method for your application. These questions include:202Overview of Client-Side Storage Systems•What browsers are supported? While there are Attacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1ature depending on which browser your users access your application with.•Does the storage method offer persistent, nonpersistent, or both forms of data storage? If you can only store data persistently, it is up to you to implement code to delete and purge data when appropriate.•How much data can yo Ebook Ajax security: Part 1u store? What is the default capacity? What is the maximum capacity? It does not matter how appealing the other features of a storage method are if itEbook Ajax security: Part 1
cannot offer enough space for your application.•What data types can you store? If a storage method can only save strings, then you will have to handlAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1to cause Denial of Service attacks in custom serialization and deserialization code. Be aware of which storage methods force you to do some heavy lifting.•What are the access policies for the storage method? What other domains, services, and Web pages can access the data by default? What features do Ebook Ajax security: Part 1es the storage method have that allow you to limit who can access the data?•How do you clean up or remove old data? Leaving unnecessary data around isEbook Ajax security: Part 1
n’t just sloppy, it can also be a security vulnerability. While no secret can be protected on the client, leaving the sensitive data scattered all aroAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1ration date for the data.•How easy is it for the user to delete the data? If you pick a volatile storage method, your application will need to handle situations in which the client-side data disappears. You did write your application to handle errors gracefully, right?•How easy is it to read the dat Ebook Ajax security: Part 1a stored on the machine? Attackers can definitely read any data you store on the client, regardless of the method you pick. The real question is, howEbook Ajax security: Part 1
much work must an attacker perform to read what is stored? Never, never, never store anything secret in client-side storage!•How easy is it to modify'Attacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1on is, how much work must an attacker perform to write over the stored data? This is an excellent vector to launch attacks and is another example of input that requires validation.203Chapter 8 Attacking Client-Side StorageHTTP CookiesHTTP cookies are one of the most basic forms of client-side storag Ebook Ajax security: Part 1e. To fully appreciate the limitations and security issues of using cookies as a storage mechanism, we must explorer the history of cookies.In case yoEbook Ajax security: Part 1
u missed the memo, HTTP is a stateless protocol. This means that the server treats each request as an isolated transaction that is not related to any Attacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1re a mechanism to allow the Web server to store a small amount of data on a user’s machine. A user’s Web browser attaches this cookie data to outgoing requests back to the Web server that set the data.1 Figure 8-1 shows the browser’s cookie jar—where cookies the Web browser has received are stored.F Ebook Ajax security: Part 1igure 8-1 The browser’s cookie jar displays a list of cookies the browser has and all of their properties.To impose state-keeping, a Web server can stEbook Ajax security: Part 1
ore a unique identifier for each visitor inside a cookie and send the cookie to the visitor’s Web browser. Every time that visitor requests a page froAttacking Client-Side StorageMyth: The client's machine is a safe place to store data.There are several security issues when Ajax applications store d Ebook Ajax security: Part 1differentiate between different, distinct users accessing their resources. Remember, each user has a1 This is actually a simplification. We discuss how developers can control which cookies get sent to which Web servers later in this section. Ebook Ajax security: Part 1Gọi ngay
Chat zalo
Facebook