tailieunhanh - Ebook Ajax security: Part 1
(BQ) Part 2 book "Ajax security" has contents: Attacking client side storage, offline ajax applications, request origin issues, web mashups and aggregators, web mashups and aggregators, javascript worms, testing ajax applications, analysis of ajax frameworks. | 8 Attacking Client-Side Storage Myth: The client’s machine is a safe place to store data. There are several security issues when Ajax applications store data on the client. Not only is client-side storage easily viewed or modified by an attacker, client-side storage methods can also leak access to these storage spaces to untrusted third parties. This can allow an attacker to remotely read all offline data stored on the client by an Ajax application. Even security-conscious developers who explicitly avoid putting sensitive data in client-side storage systems can inadvertently do so when they use client-side storage to cache data tables or trees. Only by fully understanding the access methods of each clientside storage method and implementing expiration policies and proper access control can a developer truly secure an Ajax application that utilizes client-side storage. OVERVIEW OF CLIENT-SIDE STORAGE SYSTEMS The client-side portions of Web applications have been hobbled from fully participating as major components of an application by four roadblocks: • • • Sufficient penetration of (semi-) standards compliant browsers allowing developers to easily write cross-platform client-side programs Sufficient penetration of personal computers fast enough to parse and interpret large and complex client-side programs A means to transmit data back and forth between the client and server without interrupting the user’s experience 201 CHAPTER 8 • ATTACKING CLIENT-SIDE STORAGE A large, persistent data storage system on the client to persist the input and output of our computations between different pages The first requirement was satisfied by time as Web standards matured and Web developers and users pressured the browser manufactures to conform to standards. It is now far easier to write cross-browser JavaScript than in the Web dark ages of the 1990s. Moore’s Law, which states computing power doubles every 18 months, took care of the second requirement. Modern .
đang nạp các trang xem trước