AJAX applications and data security

AJAX is a great tool and has provided web developers with the opportunity to create wonderful, engaging applications that work better than anything else preceding them. By requesting information asynchronously, one can develop applications that function very much like traditional, installed applications. The resulting application has lower development costs, no distribution costs, lower support costs, and can be integrated with more, 3^rd party applications than a traditional installed application.

However, AJAX has a new set of problems to be handled in order to have a safe, secure application.  Let’s look at two basic things that have to be done in order to make it work right.

Request Hijacking and Spoofing

One of the most basic attacks and problems to an AJAX system is simply the sending of requests to the server directly. While this doesn’t seem to be an issue – it’s huge. Why? Because they can screw up your database, put items in a shopping cart, change pricing, and more.

Let’s look at a quick example, you are running Bob’s Micro-Dog Supplies website. It has a great AJAX interface that is smooth and beautiful. When people add items to the cart it is all done in AJAX. Here’s where the problem comes in. When they check out, you call the following URL  https://www.bobsmicrodog.com/checkout.php. In the POST variables you list the products, the quantity, the price each, and the total price. Sounds great, right? Wrong.

By submitting to the URL with different POST data I could buy the entire order for pennies. Remember, your URL’s are only slightly hidden.

How to fix it

Use AJAX for user interface and non-consequential data management. Pricing and ordering are not inconsequential. A better way would be for the server to have the cart and data and the AJAX version simply make references to it. Anything that is of consequence should be maintained and controlled by the server.

Authentication

The next issue is maintaining authentication. Unfortunately for bobsmicrodog.com, their application had a login script that returned the rights via JSON to the browser. This allowed for a great user experience – it was fast. However, bobsmicrodog.com never checked anything again. If the user could click on a link the server would accept the information. Too bad, that little Johnny learned the URL to send and now they have all the customer information because little Johnny Hacker got into the private side of the site.

How to fix it

Not only must you store all information of consequence on the server, you must also assume that every request to the server is illegitimate. Store security information in a database on the server and verify that the user is who they say they are and that they have the rights to do what they are requesting. Don’t assume that the request can’t be sent via any other method.

You’re not there yet. Because there are sneaky people around, you need to go another step forward. One of bobsmicrodog.com visitors is ordering information while at a coffee shop with wifi. Little Johnny Hacker is sitting in the coffee shop with a sniffer and discovers the customer. Now they have session info, and user keys, and whatever else was posted on the requests. So they form a URL with the session information and maybe other details in the query string or in post data. Bobsmicrodog has modified their system so they check the session and recheck the rights for that user. Oops, now they have Little Johnny Hacker masquerading as the legitimate customer.

How to fix it

You not only have to check the session information, you need to make sure you know where the requests are coming from. Verify the IP address along with the session information. You may have a case, however where the IP address is shared among all users (like behind a proxy server). In that case, checking IP may not be sufficient and you are going to have to be more creative.

The best thing to do is to not use the standard session mechanism but set up your own authentication system to keep track of who is logged in and where. Sessions are automatically created by the server which makes spoofing a session ID easy. Avoiding using sessions in the traditional sense prevents this issue from coming up.

Summary

AJAX applications need to be rethought. It’s not a matter of just calling your standard processing script using AJAX calls. The security issues are more numerous with an AJAX application. You need to do more verification of access rights than you would do with a standard application. You need to have a much safer method of verification user identity than you would do with a standard web application.

QwebIRC: A Worthy Open-Source Alternative to Java IRC Chat-Boxes

To all of you people out there who are still using a clunky old Java IRC chat-box on your site - I urge you to switch to QwebIRC.

QwebIRC uses Ajax, is light on resources, is open-source and can easily be embedded on your website.

Check QwebIRC out here:

http://www.qwebirc.org/

U14 AA. Ajax 7 @ Whitby 4. Nov. 18, 2009.

Ajax upload for jQuery

Octofirst Business Portfolio Wordpress 4 in 1

Cross Domain AJAX

Recently I have had to do some cross domain AJAX for the first time. To do this I had to use "JSONP", something that I had heard of, but not had to use before. I must have been living under a rock or something for the past couple of years.

JSONP or "JSON with padding" is a JSON extension wherein a prefix is specified as an input argument of the call itself. This padding prefix is typically the name of a callback function, but may also be a variable assignment, an if statement, or any other Javascript statement prefix.

Wikipedia

OK, admittidly that didn't mean too much to me when I first read it, I'm a little slow, and not really at the cutting edge of AJAX technologies anymore. From what I can work out, on the page that you make the call from, you have some AJAX that calls your server script. A PHP script for example. You pass that script the data you want to send as well as a callback function that you want to run, that is sitting on your client page. See below for example.

// I've written this in jQuery, because it's what I use and easy to follow
// AJAX request
$.getJSON('http://domain.com/jsonp.php?var=test&c=callback_function')


function callback_function(data){
alert(data.md5_string)
}
 

Right, that makes a call to jsonp.php (or whatever your script is), it passes through the variables that you want to pass, in this case "var". It specifies the callback, which is defined in the same place as the AJAX call is made, as shown.

This is an example of what jsonp.php could be

$var = $_GET['var'];
$data = json_encode('md5_string' => md5($var));
echo $_GET['c'].'('.$data.')';

This code will get injected into your initial page, by injecting it, it will run the callback function on that page when injected. In this case, when the AJAX is fired, it passes a variable to jsonp.php along with the callback function name, the jsonp.php returns the 'callback string' and the function is fire. In this case the callback function alerts the response, an MD5 string of the variable that we sent.

What I actually do

With jQuery, you don't have to specify a spefic callback function when you run the AJAX call. Instead of passing through function name, pass through a question mark which is a "?", just in case you didn't know what one is.

What this does is allows you to effectively use an anonymous function, which is specified in the AJAX call itself. So, for example

 $.getJSON('http://domain.com/jsonp.php?var=string&c=?', function(response){ 
 alert(response.md5_string) 
} 

30 Javascript/Ajax Techniques for Sliders, Scrollers and Scrollbars

Twitter è (quasi) real time

jQuery to Google Groups: "You're dead to me"

I hate when Google gets bad press, even if it's from an obscure group of web geeks.

Sure, this dirt isn't nearly as tawdry as a Gmail outage, Chinese firewalls or the roller coaster ride that is Google's stock price.  But speaking as a recovering web geek myself: oh, it's bad, baby...

It seems that the jQuery project has decided to drop Google Groups as its de facto discussion board and mailing list for over 20,000 web developers worldwide.  For the uninitiated, jQuery is a "a fast and concise JavaScript Library that simplifies HTML document traversing, event handling, animating, and Ajax interactions for rapid web development."*  In layman's terms, jQuery is a way to make web sites to act like Flash without actually using Flash, a browser technology that makes web sites look and act pretty but has a vexed history of bad browser behavior.

John Resig, jQuery's creator and lead developer, broke the news on his blog this week, leaving web designers to wonder "Now what?" while the rest of the world thinks "So what?"  Wired's Webmonkey blog and Slashdot (yes, good ol' Slashdot) also weigh in on the war of words.  In a nutshell, Resig is displeased with Google Groups' inability to stave off spam:

As far as I'm concerned, Google Groups is dead.... This post isn't so much about the usefulness of mailing lists as a discussion medium, it's the complete failure of Google Groups as an adequate purveyor of public discussion software. For the jQuery project we're already in the process of moving the full discussion area to a forum that we control.... There is one area in which Google Groups continues to shine: Private, or restricted, mailing list discussions. However any attempts at using it for a public discussion medium are completely futile.... The primary problem with Google Groups boils down to a systemic failure to contain and manage spam. Only a bottom-up overhaul of the Google Groups system would be able to fix the problems that every Google Group faces.

The comment threads are flaming hot on jQuery's abandoning ship -- one of the largest on Google Groups.  And while Google is yet to respond formally, I eagerly await their next move.  Ironically, Google employs jQuery across a number of its web properties, namely Google Code and -- you guessed it -- Google Groups.  Personally, I relied more on the jQuery documentation wiki than boards and lists, but that's just me.

Back when I designed web sites for sport, I grooved on jQuery's logic and efficiency.  Community support was weak at first but gained groundswell quickly.  Competing JavaScript frameworks like Prototype, MooTools and Yahoo! UI worked more like Flash and were simpler to learn, but jQuery was so damn clean and the robust UI libraries evolved so well that I couldn't resist adopting it like a puppy.  Tens of thousands of web developers now roll with it, and even marquee sites like Amazon, Microsoft, Twitter and Bank of America infuse jQuery.

Casual web users won't care, and why should they?  Unless you code for a living, this is pretty dull stuff and overshadowed by the wealth of positive coverage in recent days resulting from Google Wave (myself, i'm still not sold), Google Voice (the FCC is really not sold) and Google Maps turn-by-turn navigation ("sold," to the chagrin of Garmin and TomTom).  The issue of jQuery developers getting spammed on Google Groups whenever they can't chain together an AJAX event handler is pretty much a non-issue to everyday folk and a dead letter to mainstream media.

Of course, if the world's biggest search engine can't appease the very crowd of said geeks that continues to make Google -- heck, the entire web -- the success story that it is, then maybe it's worth a second glance.  After all, you never know when a Facebook or a Bing might one day woo those developers with: "Aww, Google gotcha down?  We understand how busy they can be.  Care to step into our spam-free kitchen?"

* From the jQuery.com home page.

implement theme platform themes wordpress design

8 Wordpress Blog Theme Design Considerations

Most blogging platforms offer a wide variety of different themes to chose from, and most can be altered and edited to suit your needs, or left alone exactly as they are. Some themes are plain and dull while others are colorful, modern and inspiring. There are thousands of themes out...

implement-> theme-> platform-> themes-> wordpress-> design

• Money Making Opportunity for Wordpress Designers If you're into designing Wordpress themes, I ran across an opportunity that could end up making you quite a bit of cash. It's a site called Theme Wars... Designers can submit their own customized Wordpress Themes, and each week, two themes are picked for "battle". (Ok, there's no real bloodshed......
• 8 Wordpress Blog Theme Design Considerations Most blogging platforms offer a wide variety of different themes to chose from, and most can be altered and edited to suit your needs, or left alone exactly as they are. Some themes are plain and dull while others are colorful, modern and inspiring. There are thousands of themes out...
• Latest 2 Column WordPress Theme - GreenTech Daniel of Daily Blog Tips released his second free WordPress theme today code named GreenTech. I downloaded the theme wanting to use it for this blog but was quite disappointed as all my images went out of alignment. For some reason, the theme was designed with images aligned to the...
• Thesis Theme Vs Affiliate Theme Frankly, it is unfair to put the Thesis Theme and The Affiliate Theme to comparison on the same platform. Both are very good themes suited for their own purpose. The Thesis Theme The Thesis Theme is a theme for bloggers. From amateurs to professionals. The layout is meant to look...
• Affiliate Theme Promo Code After I posted my thoughts on Affiliate Theme vs. FlexxTheme, I received a slew of emails from marketers and bloggers who were looking for an Affiliate Theme discount code. (If you haven't a clue what I'm talking about, go read this post: Affiliate Theme vs. FlexxTheme. Then come back and nod sagely as...
• Bible Money Matters Has Been Redesigned Using The Thesis WordPress Theme The Old Designs Bible Money Matters has been live on the web since January of 2008, and in that time the site has gone through 3 different designs.  The first look that I tried was when the site was hosted on blogspot.  The theme was a free one that I...
• Blogiversary Giveaway Winner and New Wordpress Theme First, I'd like to announce the winner of my first anniversary bloggiversary giveaway. Drawn by random.org, the winner is....... QL Girl I've sent QL Girl an e-mail as well as an e-mail to J of Budgets are Sexy, who will be creating a 125 x 125 design. Thanks to everyone...
• One Theme: The Most Intuitive Theme Engine Ever Created for Wordpress One Theme is taking WordPress theme development to the next level, by concentrating on giving bloggers great design, ease of customization, and various options for integrating web promotion technologies. One Theme offers multiple themes, all designed for different blog genres, with a powerful backend plugin called One Panel. Ever evolving;...
• WordPress Theme War The WordPress Theme War has been raging for quite a while, but I took my own sweet time in reporting it. Initiated by Unique Blog Designs, the guys behind the successful Affiliate Theme, this war pits the designing skills of Wordpress Theme Designers who, if chosen as a winner stands...
• The Affiliate Theme For WordPress Received an email from Unique Blog Design doing their pre-launch sale of the The Affiliate Theme, a premium WordPress Theme. A 25% discount is being offered for the first 10 buyers and I was told to be "quiet about this offer". LOL. Good marketing tactic, because all this cloak and...

How to search blogs by BlogSearchQuery.com
5 Online Store Search Results

1. Theme Park Souvenirs Vintage Pre-1968 Disneyana Collectibles

2. Theme Park Souvenirs Contemporary 1968-Now Disneyana Collectibles

3. Theme Parks Pins, Buttons Contemporary 1968-Now Disneyana Collectibles

4. Platform Womens Shoes

• Gorgeous Website To Get Consideration From Your Clients Web Design makes it possible to illustrate how your intelligence is presented and what the dominance will you produce on your visitors as we follow, "First impression is the last." Things such as colors working well together, general layout and  use of space, easy navigation, the page being sized appropriately...
• Real-Life Case Studies of Web Copywriting in Action If you have any doubts about what effective web copywriting can do or want some examples of how copywriting works in a real time situation, it is time to do some searching on the Internet. Here are some links to sites that will provide you with some excellent background on...
• The History & Characteristics of Modern Day Cheap Car Tyres I have had this site for a while now and I am becoming more and more eager to help people out when coming to a decision when they are purchasing car tyres, whether its cheap ones or expensive ones, I hope that this site helps give them guidance and advice....
• XSitePro Review: A Complete, User Friendly Program If you are a business owner or e-marketer, the user friendly XSitePro will be the easiest and most efficient way to maintain and develop your website.  Two of the most important reasons why XSitePro gets such positive reviews include how easy it is to use and the all-inclusive nature of...
• Phone System Technology - Business VoIP In this article we'll discuss new business phone system technology solutions built around VoIP and advantages for New Jersey businesses. We'll focus on two popular solutions in particular: hosted phone solutions and traditional IP PBX phone systems.A Hosted Phone System is very attractive in the right environment. You're only...
• How To Change WordPress Theme Fonts First, there are 2 types of fonts. Serif fonts and SanSerif fonts. Serif fonts are fonts that have those "edges" and san serif fonts are those without. A good example of a serif font is New Times Romans while Verdana is a san serif. If you look in your...
• Design Blog Improvement When it comes to blog improvement, one of the considerations that you might want to make relates to the design of your blog, as changing up the design of your blog can also have an impact of the quality of your blog and the functionality of your blog as well....
• Theme DIY Nokia 5800 : Free Nokia Applications Theme DIY Nokia 5800 : Free Nokia Applications The only software that lets you create your own personal theme right on your Nokia S60 phone! Get a new look for your Nokia phone in a few minutes! Pick any photo, choose from 6 theme templates, store up to 12 personalized...
• Seasonal Wedding Themes One way to make your wedding more memorable could be to have a theme wedding. Taking the decision to have a theme wedding is the easier part. Deciding on the theme is harder. You could decide on a 17th century theme or a dream wedding theme, but while considering these...
• Internet Marketing Tweet Digest 2009-10-24 @anilopez It's not a useful metric for a number of reasons - Google created the marketing PR obsession. in reply to anilopez # I really want to setup my Mac as a media server for my PS3 # @thedirtyturtle Thanks I'll give it a try. I tried an open...

Blog search engines by BlogSearchQuery.com
5 Online Store Search Results

1. Theme Park Souvenirs Vintage Pre-1968 Disneyana Collectibles

2. Theme Parks Pins, Buttons Contemporary 1968-Now Disneyana Collectibles

3. Platform Womens Shoes

4. Theme Park Souvenirs Contemporary 1968-Now Disneyana Collectibles

• The 7-Day Turnaround, Day 2: Build an Emergency Fund, Quickly This is the second article in Frugal Dad's week-long series, The 7-Day Turnaround: One Week to Change Your Family's Financial Destiny. Each day brings a new step to implement and help you get control of your finances. Experts argure over the first step of a money makeover. However, anyone who...
• Internet Telephony - For Better Calls and Greater Savings The terms VoIP and Internet telephony are nothing new. Many of us who are residing in the present day world have heard one thing or the other regarding any one or either of them. Moreover, there would be quite a few among us who would also be aware of the...
• Bethel Island Golf Course, Bethel Island, CA Bethel Island Golf Course is located in: Bethel Island, CA Phone: (925) 684-2654  Website: http://www.bethelislandgolf.com Course History: Bob Baldock designed this incredible course with undulating fairways that provide more than enough of a challenge for most players. It is a peaceful course and offers a great place to get...
• Self Auditing-3 Key Ingredients To Renewal And Self Growth /caption] So the other day I was asked to give a sales training on the topic of my choice. Because of the short notice I was a little nervous about what I was going to speak about. Then I asked myself, "self, how can you contribute to the group?" I...
• Getting the Most Out of Hair Vitamins You can use hair vitamins to make hair thicker, stronger and longer. You can often find the same vitamins in other nutritional supplements. However, hair vitamins may be in different proportions than other vitamin supplements that are designed to accomplish different goals. You must be realistic about what hair vitamins...
• Paying Off Credit Card Debt Much has been made about various step-by-step plans in the world of personal finance, but personally if there are more than ten steps I find the task a little daunting.  I like things broken down in simple, palatable steps that I can implement right away. Even tasks as challenging as...
• Gout Treatment-How Different Approaches Can Effectively Treat Gout Gout is undeservedly the subject of jokes but it shouldn’t be because of the serious nature of the condition and the considerable discomfort the sufferer finds him/herself in. Gout typically affects men over 40 and women over 50 but it can strike on other age groups as well. It is...
• What's Happening with Cash for Clunkers Program? If you've been watching the news, you may have been confused about what is happening with the Car Allowance Rebate System. What is the Cash for Clunkers program about? The program is designed to stimulate car purchases from participating dealers and remove gas guzzlers off the roads. Has Cash for Clunkers...
• Modifying the bashrc or bash startup files. Find the article here.Copy here:If you've been learning the command-line and you have the basics down (you should be, as the most effective way to use a computer is a combination of a GUI and command-line), the next step is to customize your environment. Beginner's Tip: "command-line" and "shell" are...
• 2 Other Options for Corporate Blogs When it comes to corporate blogs, many people think of just the standard blogging format and they are afraid to break out of the box. However, there are quite a few options that will help bring your blog to life and may even make it easier to get your message...

Search query by BlogSearchQuery.com

---

Blog Search Query Tags:

Platform design touches style sheet Blogging custom style widget mello column style k2 ajax wordpress themes focus public