Public Relations in the Age of New-Media!

PR on Ulitzer

Subscribe to PR on Ulitzer: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get PR on Ulitzer: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


PR Authors: Nina Moon

Related Topics: RIA Developer's Journal, Enterprise Mashups, Security Journal, AJAX World RIA Conference, PR on Ulitzer

RIA & Ajax: Article

AJAX Security

Proper methods and best practices

In biology they are called proviruses, chunks of malicious genetic code encased by proteins. When one invades a cell, it embeds itself in the host's own genes. Treated as the cell's own DNA, the viral DNA lies dormant, undetected. Then, something flips the switch .The viral code is opened up and parsed, initiating the events that form a new generation of hundreds or thousands of copies, destroying the original host cell, and ready to continue the cycle.

Whether for a living cell or an AJAX application, effective security can be a matter of life or death. And whether the invader is a piece of viral DNA or a string of evil-minded code, the effects can be devastating. This article will discuss how such code can break into a Web application, embed itself in the application's data, and quickly spread elsewhere, much as a virus does. In each of these situations the article will present proper methods and best practices that can help beat the invading code. For our application we will imagine a social tagging site like a simpler Del.icio.us. The bad code in question will take various forms, and will be called either malicious code, exploit code, or simply exploit.

First, I should explain why the analogy of a cell is used. In many ways, these tiniest entities of life are very similar to Web applications, with many shared similarities.

Both:

  • May store and use massive amounts of data (organic molecules or electronic databases).
  • Periodically retrieve and use that data to carry out tasks.
  • Modify the data, (gene regulation or database queries such as ‘insert' and ‘update')
  • Security isn't a laughing matter for a cell or a Web app.

Security first takes effect at an application's entry points, the gates of the fortress, the receptors on the cell. Until recently, most of the external input a typical Web app got came from data manually entered by people, whether through forms or entering URLs. With the advent of public APIs, Web Services, and mashups, communication between Web sites has become commonplace. To start, let's go over some ways our social tagging application gets input:

  • Data for user profiles
  • Creating or updating lists of tags
  • Adding/categorizing Web sites or pages
  • Any "social" interactions
    -  Managing friends
    -  Sharing tags or links
    -  Rating items or sending recommendations
  • Data sent in through its public API

Each of these actions or events can pose a threat to our tagging application since they all involve a change to the data. It's here that an exploit starts its journey.

Let's go back to the cell analogy. Viruses never actively hunt or chase a cell, they simply move about until they bump into something that fits them. Small variations in the genes can make one variant of the virus more successful at its job than others. It's natural selection at its most efficient. But what significance does this have for security?

More Stories By Tamreen Khan

Tamreen Khan is the architect of the jPOP framework and founder of Scriptex Labs. He has experience at using PHP in both classic and unconventional ways. Tamreen continues to develop the framework as well as taking on new challenges, lately it has been procedurally generating Javascript code.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.