Ajax security tools

From: IT expert network

Ajax applicationsProgramSome internal security vulnerabilities may cause malicious hackers
Seriously harm your applications. Identity theft, Unprotected access to sensitive information, browser crash, web application destruction, denial of service attacks, etc.
This is part of a security event that may occur to an application, and developers need to prevent these security issues when building Ajax functionality into an application. Developerworks
Regular contributor Judith Myerson recommends some tools that can enhance applications, including Firefox tools and add-ons, which can improve or solve security issues in Ajax applications.

Introduction

In this articleArticleYou will learn about some Ajax security tools and use them to scan SQL
Vulnerabilities such as injection and cross-site scripting, primary passwords, and recovery of all windows after a crash. You will check some tools and utilities to make sure that the site linked to the application does not appear in the blacklist.
Blacklist can prevent hackers from modifying the browser function, endangering web applications, and achieving malicious purposes. This article divides these utilities into three categories: enhanced tools, Firefox tools, and
Add Firefox.

Enhancement Tool

This section describes the following tools: Ajax
The secure service layer (assl) tool protects chats and blogs. htmlproctector is used to prevent visitors from stealing Ajax Web
PageSource codeAnd images; while acunetix web Vulnerability is used to scan and fix
Injection and cross-site scripting. When you link to other web sites on your own Ajax page, use the ajaxdns tool to ensure that these links do not appear on the Web
In the site blacklist (consider using despoof, an open-source command line anti-spoofing detection program that can detect all IP spoofing methods.

Assl

Assl is a library released under the MIT license. It is an SSL open-source Ajax version without HTTPS. Because
For security protection, assl in the browser cannot check the SSL certificate as SSL does. Instead, assl uses RSA
AlgorithmAllows the client to process random 128-bit keys through one or more servers. After the connection is established, the Ajax Tool uses the AES algorithm to send and receive data. Assl
It is more suitable to protect non-critical sites, such as chat and blog sites through the firewall, because these sites do not require SSL certificates.

Assl
Start the protection process when the browser calls the server. After the server receives the call, it returns its RSA modulus (modulus. Then, the browser generates a random 128
Bit
Exchange Keys, use the server's public keys for encryption, and pass the encrypted exchange keys to the server. The server receives the encrypted exchange key and uses its private key for decryption. Finally, the browser receives session persistence
And set a timeout value to keep the connection active.

Htmlprotector

This tool goes beyond the firewall function and helps you protect the content of web sites running on servers. When sending protected web pages to the server, you can decide which content to protect on the client. Htmlprotector helps you complete the following tasks:

Prevent visitors from viewing and printing your sourceCode.
Prevents the machine sending spam from extracting email addresses from your page. hackers may use these addresses to send spam messages.
Prevent visitors from downloading your entire web site to their hard disk using the automatic download program.
When a visitor hover his or her mouse over a link of your web site, the email link cannot appear in the status bar. You can choose to protect only the body and header of the page, or both.
Better yet, htmlprotector
This allows you to use a password to protect the page. Make sure that the password you provide to authorized visitors is kept confidential and cannot be cracked by unauthorized visitors. If an unauthorized visitor attempts to enter an incorrect password, you can choose to display
A blank page, redirect to a different URL, or return to the previous page. You can also disable the browser from saving your page to the local cache to further prevent hacker damage.

Acunetix web vulnerability Free Edition

Acunetix web vulnerability availability (awvs) Free Edition tool can be used to find SQL statements in applications
Vulnerabilities such as injection and cross-site scripting are fixed before execution (hackers can exploit the SQL injection vulnerability to modify the SQL
Command and access the database data. Cross-site Scripting allows hackers to embed malicious scripts into the visitor's browser, and then execute the script to collect data ).

Acunetix
Web vulnerability into free edition also enables hackers to crawl content on web sites
Query the database and identify sensitive data or targets that may be exploited. When the query results show data that may be exploited, make sure that the problem is fixed before the search engine hacker finds and exploits the data (make sure that
Testing in the testing environment rather than in the production environment ).

Acunetix provides three advanced penetration testing tools-HTTP Editor, HTTP sniffer, and HTTP fuzzer-to help you tune Web Application Security checks. The following describes the tests that testers can perform using each tool:

Tool description

HTTP Editor: construct HTTP/HTTPS requests and analyze the Web server response.

HTTP sniffer: intercept, record and modify all HTTP/https traffic and display all data sent by the web application.

HTTP fuzzer: performs complex tests on buffer overflow and input checks. Use the rule builder to test a large number of input variables.

Scan tools can prevent hackers from achieving malicious purposes, such:

Identity theft
Access sensitive or restricted information
Free access to paid items
Modify the browser function
Hazards Web Applications
Denial of Service Attack
Publicly destroys the reputation of an enterprise or an individual

Ajaxdns tools

Ajaxdns tools allows you to conveniently and quickly check the security of the Web sites linked to the Ajax application. The functions of each tool are listed and explained below:

Tool description

Whoissearch: obtains information related to the domain name owner, unless you are prohibited from viewing this information.

RBL search: Run reputation and block lists (RBL) to search for web sites on the server, and make sure that the linked sites in the Ajax application are not in these lists.

Ping: Obtain the time required for data packets to arrive at the host. If the ping fails to pass through the firewall of the host, the host cannot be reached.

You can use the command line option to download whois from Microsoft or use the who command in Linux/Unix.

Despoof

Despoof is another security tool used to detect spoofed data packets. These spoofed data packets can send Ajax applications across networks. If you receive a suspicious packet, try to determine its real time-to-live (TTL) and compare it with the TTL of the received packet.

Before using the despoof tool, make sure that your machine has libpcap 0.4 and Libnet 1.0 (or the latest version ). Use the command in Listing 1 to decompress the file, switch to the despoof directory, and install despoof:

Listing 1. Installing despoof # tar xvzf despoof * tgz
# Cd despoof *
# GCC 'libnet-config-defines'-O despoof. C-lnet-lpca

Run despoof with the command shown in Listing 2:

Listing 2. Run despoof #./despoof-H

Firefox tools

You can use Firefox to set the master password and Privacy Options.

Set master password

You must enter a master password to access the Stored Password and save the web form data and keys. Follow these steps to specify the new master password:

1. Click options under the tool menu.

2. Go to the passwords section under the Security tab in the Options dialog box.

3. select the option box to use the primary password.

4. In the change master Password dialog box, enter a new password and re-enter the password for confirmation.

Each character of the new password will see some green blocks added to the password quality meter ). The stronger the password, the more green blocks the indicator displays. If the password reaches the most robust level, the entire indicator will be filled with green color blocks.

When the system confirms that the entered password matches, you will see a message indicating that the master password is successfully modified. (Make sure you remember the master password; otherwise, you will not be able to access any information it protects !)

Set Privacy Options

Let's check some cookie exceptions and clear private data. Click options under the tool menu and go to the privacy tab. In
In the cookie section, you can accept cookies from all or some sources. Click exceptions to specify the Web
Websites are often allowed or never allowed to use cookies. Enter the exact address of the site to be managed and Click Block, allow for session, or
Allow. After completing these operations, click Close.

When Firefox is allowed to accept cookies from the site, you can select the method to process them. These methods include waiting until the cookie expires, waiting until Firefox is disabled, or asking Firefox to ask each time you open it.

To set the expiration date, go to the history section, and make sure that the selection box that allows Firefox to remember the pages visited in the last 20 days is selected by default. If you think the expiration time is inappropriate, you can modify it.

Add to Firefox

The three very useful Firefox extensions are Session Manager (restoring the status of all windows after a crash) and Homeland Security Threat Level (displaying the current level in the status bar) and wikid (alternative to password and certificate ).

Session Manager

When the Session Manager restarts after a crash, it can automatically save and restore the status of all windows as needed. It enables you to reopen accidentally closed windows and tabs. Session Manager can encrypt session data stored in session files and closed window files. To enable this feature, perform the following operations:

1. Go to the Session Manager under tools.

2. Click Session Manager options.

3. In the encryption section, select the box to encrypt the saved and closed windows. If a master password is set, Firefox sends a warning asking you to enter the password to encrypt or decrypt the session.

4. Click OK.

If Firefox crashes, it will ask you if you want to recover the most recent session upon restart. Session Manager
Not only can the current browsing session be restored, but other sessions can also be restored as needed. Therefore, it is best not to disable the Session Manager Options dialog box.
Crash recovery in the sessionstore tab.

This extension replaces the session manager of sessionsaver and Tab mix plus. It stores more data than the two programs. We recommend that you install only one session-related extension.

Homeland Security Threat Levels

This extension displays the current U. S. Homeland Security Threat Level (severe, high, elevated, guarded, and low) as an icon in the status bar, allowing you to quickly view the threat level.

Wikid

Wikid strong authentication system is a two-factor authentication solution based on commercial/open-source software. Wikid is designed to be a security alternative to tokens, certificates, and passwords. This Firefox extension uses semantic web technology to automatically enter one-time code for users. The wikid token supports multiple wikid domains, so you do not need the 'keychain' token '.

Conclusion

This article helps you plan ahead to improve the security of Ajax applications on servers, clients, or networks. Security is critical to developers, testers, system administrators, and potential users. Therefore, detection and resolution of potential security issues can provide a perfect experience for development teams and users.