Complementary concepts
AJAX (Asynchronous JavaScript and XML)
Asynchronous JavaScript and XML
is a concept, not a new programming language, is a combination of a set of existing technologies
Dynamically update part of the page, rather than the entire page, through client script
Reduce bandwidth usage and increase speed
Enhance the user experience
Background asynchronous access
Ajax components
The core component of Javascript:ajax, which uses the XMLHttpRequest object interface to initiate requests to the server to accept and process server response data
Dynamic HTML (DHTML)
Prior to the advent of Ajax, through JavaScript, CSS, etc. in the client to modify the HTML page element, the disadvantage is completely dependent on the client Code modification page, the interaction with the server is done by JavaScript applets, Ajax's xhr make up for his shortcomings (e.g., registered users)
Document Object Model (DOM)
The framework for working with HTML, XML document objects, DHTML is a browser, and Dom acts as an interface for its implementation, defining and managing each page element obj's properties, method, event
Ajax-based Web application workflow
XMLHttpRequest API Create object XMLHTTP for access
What to return: XML, JSON, HTML, text, pictures
Multiple asynchronous requests for independent communication, non-dependent
Ajax framework
Jquery
Dojo Toolkit
Google Web Toolkit (GWT)
Microsoft AJAX Library
There is no common Ajax security best practice, and the attack surface is not known to most people
Security issues with Ajax
Multiple technology mixes, increasing the attack surface, each of which may form an independent attack process
The Ajax engine is a full-featured scripting interpreter, and visiting a malicious site can be disastrous, although the browser has sandbox and SOP, but can be bypassed
Server, client code in combination with confusion, improper server access control, information disclosure
Storm Drain Application Logic
Ajax's challenge to penetration testing "cannot be ignored"
Large number of asynchronous requests and concealment
The condition of triggering an AJAX request is irregular
Manual and truncated agent crawls can cause a large number of omissions
Ajax Crawl Tool
ZAP
Client code Auditing
Source code "not necessarily efficient"
Firebug
WEB Service
A service-oriented architecture (oriented architecture) for easy integration of shared data and functionality across systems
Ideal for scenarios where you don't want to leak data models and program logic to access data
No page, just a Web interface, via HTTP protocol
Two types of Web Service
Simple Object Access Protocol (SOAP)
Traditional Web Service development method, XML is the only data interchange format
Applications that require security more adoption
RESTful (Representational state Transfer architecture-rest)
Currently more lightweight web Service,json are preferred data interchange formats
WEB Service Security Considerations
- Implement and track identity authentication using API key or session token
- Authentication is done by the server, not the client (because the client source can be viewed)
- API key, username, Session token never sent via URL
- RESTful by default does not provide any security mechanisms and requires SSL/TLS protection to transmit data security
- SOAP provides a ws-security mechanism that is stronger than HTTPS
- Use OAuth or HMAC for authentication, HMAC authentication using the C/S shared key encryption API key
- RESTful should allow only authenticated users to use the PUT, delete method
- Use random tokens to prevent CSRF attacks
- Recommended to deploy a strict whitelist-based approach to user-submitted parameter filtering
- Disinfection of error messages
- Direct object references should be strictly authenticated (the e-commerce company takes the product ID as the primary index)
Small white diary 54:kali Penetration Testing WEB penetration-complementary concepts (Ajax,web Service)