I. Introduction
Ajax and interactive web services are supporting the web application. Technological innovation also brings new security challenges to this application.
This article introduces some methods, tools, and techniques to study the security problems faced by web applications, and introduces the use of Firefox and its plug-ins to discover and locate security vulnerabilities. The content of this article mainly includes the following aspects:
(1) Web2.0 application architecture and security issues;
(2) challenges faced by Web2.0 security assessment, such as discovering hidden calls, Web Crawler problems, and client call logic;
(3) Use the debugging tool firebug to discover xhr (XMLHttpRequest) calls;
(4) use the Chickenfoot tool to simulate the automatic execution of browser events;
(5) use the debugging tool firebug to set breakpoints and perform one-step debugging on Web applications;
(6) vulnerability detection methods.
Ii. Overview of Web2.0 applications
As a next-generation Web application, web is integrated with many existing technologies. XML-Driven Web services run on soap and XML-RPC, while the rest (representational state transfer) architecture brings great convenience to resource-centric Web applications. Web2.0 uses Ajax technology and rich Internet application components, such as flash, to provide end users with powerful application interfaces.
The technological innovation of Web2.0 has a significant impact on web applications and communication mechanisms between Client browsers and servers. At the same time, this technological innovation brings new security challenges to Web applications.
New worms such as yamanner, Samy, and spaceflash can destroy the client Ajax framework and provide new attack methods to hackers, endangering the security of sensitive information stored on the client host.
Figure 1 Web2.0 Architecture
As shown in structure 1 of Web2.0, the processing process on the left side of Web browser can be divided into the following layers:
(1) Presentation Layer: HTML/CSS provides a display solution in the browser window;
(2) logic processing layer: javascript running in the browser is responsible for executing the business logic and communication logic. Ajax driver components are located at this layer;
(3) Transport Layer: the XMLHTTPRequest object provides the asynchronous communication between the client browser and the server and the XML data exchange mechanism. The XMLHTTPRequest object here uses HTTP or HTTPS protocol.
The server component is located behind the server firewall on the right side of Figure 1. It includes the configured web services and traditional web application resources. When an Ajax resource runs in a client browser, it can directly "talk" to XML-based Web services and exchange data without refreshing the entire page. This data exchange process is transparent to client users. In other words, users cannot feel the refreshing of browser pages during this period. Page refresh and redirection are indispensable components of the first generation of Web applications. However, in the web era, these operations are replaced by Ajax asynchronous operations.
