Ensure Ajax applications Program Security is a new challenge for anyone who develops or manages Web Services. The core of most Ajax applications is the Javascript XMLHTTPRequest object, which allows web pages to independently connect to users' web servers and extract cross-origin content. When a service-oriented architecture is combined with other software services that are loosely integrated, this feature has serious security problems. Although Ajax does not create new security vulnerabilities, it can expose many existing security vulnerabilities, especially when Ajax applications are particularly complex. This makes it very difficult to test many sequence changes that may occur between users and services.
You want to scan yourCodeIs very correct. However, no comprehensive and automatic Ajax application security evaluation tool has been provided. The Open Web Application Security Plan (OWASP) provides a free download of sprajax software. This is an open-source software security scanner developed specifically to scan for potential security vulnerabilities in Ajax web applications. I have no doubt that this software will become a great tool. However, I cannot call it a great tool. You can download sprajax from this website. On the OWASP website, you will also find advice on developing secure Ajax applications. You can also register to receive a supplemental security scan from acunetix.
On the other hand, if your budget permits the purchase of an Ajax security vulnerability assessment tool, you can consider purchasing the hailstorm product updated by cenzic. This new update tool can now scan applications with Ajax features. Although it cannot cover every security vulnerability based on XML and SOA, hailstorm can detect errors based on the actual response of applications using internal browsers. This is much better than feature-based scanning. This product can also perform session-based assessment on security vulnerabilities such as session hijacking, which cannot be implemented by feature-based scanning. SPI dynamics's webinspect is another scanner worth evaluating. One of the many detection functions of this product is to check the identification and authorization of Dynamic Links for scripts on the server.
Finally, try to maintain the compatibility of Ajax applications. Reducing and simplifying any Ajax call will make it easier for you to evaluate the type of requests sent by a web page or application. In addition, you must archive and explain how the application communicates with the server and how to handle the response. This will make it easier for you to assess whether security vulnerabilities exist in your code. Rules that never trust the key code from the client still apply. Any security control should be implemented on the server and never under the control of the user.