In my previous developerWorks article, "Performance Ajax tools," I talked about how you can reduce the number of HTTP requests so you can track down I/O disk issues, analyze network traffic, discover excessive calls, reduce memory consumption, and solve other performance problems.
In this article, you'll learn about Ajax security tools, which you'll be using to scan for SQL injection and cross-site scripting vulnerabilities; to set a master password; and to restore the state of all windows after crashes. You'll take a look at tools and utilities that ensure that linked Web sites in applications are not on the blocked lists and which prevent hackers from altering browser functionality, defacing Web applications, and achieving malicious results. You'll find these utilities divided into three types within the article: hardening tools, Firefox tools, and Firefox add-ons.
This section covers Ajax Secure Service Layer (aSSL), a tool to secure chats and blogs; HTMLProctector, which is used to protect your Ajax Web pages from the visitors who want to steal your source code and images; and Acunetix Web Vulnerability Scanner, which is used to scan for and fix problems caused by SQL injection and cross-site scripting. Before you link to other Web sites in your Ajax pages, you can use AjaxDNS tools to make sure those links are not in a Web site's block lists. (Consider using Despoof, an open source, command-line anti-spoofing detection utility to detect all IP spoofing methods (see Resources)).
aSSL, a library distributed under the MIT license, is the open source Ajax version of SSL that comes without HTTPS. Because HTTP is not secured, aSSL at the browser cannot check the SSL certificates like SSL does. Instead, aSSL uses the RSA algorithm to enable the client to negotiate a random 128-bit key with one or more servers. Once the connection has been established, this Ajax tool uses the AES algorithm to send and receive data. aSSL is better suited in securing non-critical sites as chats and blogs that come through firewalls, because these sites do not require SSL certificates.
aSSL starts the process when the browser calls the server. After the server receives the call, it returns its RSA modulus. Next, the browser generates a random exchange 128-bit key, encrypts it using the server public key, and passes the encrypted exchange key to the server. The server receives the encrypted exchange key and decrypts it with its private key. Finally, the browser receives the session duration time and sets a timeout to keep the connection alive.
This tool goes beyond firewalls by helping you protect the content of Web sites you run on servers. You determine what needs to be protected at the client side before you send protected Web pages to the server. HTMLProtector helps you:
- Prevent visitors from viewing and printing your source code.
- Stop spam robots from extracting e-mail addresses from your pages that hackers could use to send spam e-mails.
- Stop visitors from using automated downloading programs to download your entire Web site to their hard drive.
- Prevent e-mail links from appearing in the Status Bar when visitors hover their mouse over a link in your Web site. You can choose to protect just the BODY section, just the HEADER section, or both sections of your pages.
Better yet is that HTMLProtector lets you protect your pages with a password. Just make sure the password you give to authorized visitors is a strong one that would be difficult for unauthorized visitors to guess. If an unauthorized visitor attempts entry with an incorrect password, you can choose to display a blank page, redirect to a different URL, or go back to the previous page. You can also choose to disable browsers from saving your page to local cache, further deterring hackers.
Acunetix Web Vulnerability Scanner Free Edition
Acunetix Web Vulnerability Scanner (AWVS) Free Edition is a tool that looks for SQL injection and cross-site scripting vulnerabilities within applications and then fixes problems before you execute them. (A hacker can exploit SQL injection vulnerability to modify SQL commands and gain access to data in a database. Cross-site scripting attacks allow hackers to embed a malicious script on your visitor's browser and then execute the script in order to gather data.)
Acunetix Web Vulnerability Scanner Free Edition also launches Google's hacking database queries onto the crawled content of your Web site and identifies sensitive data or exploitable targets. When the query results show the data can be exploited, be sure to fix the problem before a search engine hacker finds and exploits it. (Make sure you do your tests in a testing, not production, environment.)
Acunetix's three advanced penetration testing tools — HTTP Editor, HTTP Sniffer, and HTTP Fuzzer — can help you fine-tune Web application security checks. Following is a description of what the tester can do with each tool:
| Tool | Description |
|---|---|
| HTTP Editor | Construct HTTP/HTTPS requests and analyze the Web server response. |
| HTTP Sniffer | Intercept, log, and modify all HTTP/HTTPS traffic and reveal all data sent by a Web application. |
| HTTP Fuzzer | Perform sophisticated testing for buffer overflows and input validation. Test thousands of input variables with the rule builder. |
By using the scanner tool, you can discourage or prevent a hacker from achieving malicious results, such as:
- Identity theft
- Accessing sensitive or restricted information
- Gaining free access to otherwise paid-for content
- Altering browser functionality
- Defacing Web applications
- Denial of Service attacks
- Public defamation of an individual or corporation
AjaxDNS Tools can be handy for making a quick check on the security of linked Web sites in your Ajax applications. These tools are listed below, with an explanation what you can do with each of them:
| Tool | Description |
|---|---|
| WhoisSearch | Get information about the owner of a domain name, unless this information is not permitted to be viewed. |
| RBL Search | Search for Web sites in the server running Reputation and Block Lists (RBL) and ensure the linked sites in your Ajax applications are not included in these lists. |
| Ping | Get information on how long it takes for packets to reach a host. If the ping cannot get through a host's firewall, the host is unreachable. |
To take advantage of command-line options, you can download Whois from Microsoft®, or use the who command in Linux®/UNIX® systems.
Despoof is another security tool you can use in detecting spoofed packets used to carry your Ajax applications across networks. If you receive a packet that you suspect is spoofed, try to determine the real Time-to-Live (TTL) of the packet and compare it to the TTL of the packet you received.
Before using the Despoof tool, confirm that you have libpcap 0.4 and libnet 1.0 (or latest version) on your machine. Use the commands in Listing 1 to unzip the files, change to the despoof directory, and then install Despoof:
Listing 1. Installing Despoof
#tar xvzf despoof*tgz #cd despoof* #gcc 'libnet-config-defines' -o despoof despoof.c -lnet -lpca |
To run Despoof, enter the command in Listing 2:
Listing 2. Running Despoof
#. /despoof -h |
You can use Firefox tools to set your master password and privacy options.
You must enter a master password to gain access to saved passwords, as well as to stored Web form data and private keys. Follow these steps to assign a new master password:
- Click Options under the Tool menu.
- Under the Security tab in the Options dialog, go to the Passwords section.
- Check the box to use a master password.
- In the Change Master Password dialog, enter a new password and then confirm it by re-entering the password.
As you type each character of the new password, you will see green blocks have been added to the password quality meter. The stronger the password, the fuller the meter. The password is the strongest when the entire meter is completely full with green blocks.
When the system confirms that the passwords you entered match, you will see a message box that the master password has been successfully changed. (Be sure to remember the master password or you will be unable to access any information protected by it!)
Let's take a look at exceptions to cookies and clearing your private data. Click Options under the Tool menu and then go to the Privacy tab. In the Cookies section, you can accept cookies from all or from some sources. Click Exceptions to specify which Web sites are always or never allowed to use cookies. Type the exact address of the site you want to manage and then click Block, Allow for Session, or Allow. When you are done, click Close.
When you allow Firefox to accept cookies from sites, you can choose how to keep them. You can wait until the cookies expire, wait until you close Firefox, or have Firefox ask you every time it opens.
To set an expiration date, go to the History section and ensure the box is checked by default for Firefox to remember visited pages for the last 20 days. If you think the expiration time is too long or too short, you can change it.
Three very useful Firefox extensions are Session Manager (restores the state of all windows after crashes), Homeland Security Threat Level (displays the current level in the status bar), and WiKID (functions as an alternative to passwords and certificates).
Session Manager saves and restores the state of all windows either on demand or automatically at startup and after crashes. It lets you reopen the accidentally closed windows and tabs. Session Manager can encrypt session data stored in session files as well as the closed window file. To enable this feature, do the following:
- Go to Session Manager under Tools.
- Click Session Manager Options.
- In the Encryption section, put a check in the box to encrypt saved and closed windows. Firefox warns you that if you have set a master password, you must enter the password to encrypt or decrypt sessions.
- Click OK.
If Firefox crashes, it asks you if you want to restore the last session when you start it up again. Session Manager gives you the option to restore not only the current browsing session, but any session you want. It is unlikely that you would want to disable Crash Recovery on the SessionStore tab in the Session Manager Options dialog.
This extension replaces SessionSaver and Tab Mix Plus' session manager. It stores more data than both of them. It is not recommended to have more than one session-related extension installed.
Homeland Security Threat Levels
This extension displays the current U.S. Homeland Security Threat Level (Severe, High, Elevated, Guarded, and Low) as an icon in the status bar, allowing you to see the threat level at a glance.
The WiKID Strong Authentication System is a commercial/open source software-based, two-factor authentication solution. WiKID is designed to be a secure alternative to tokens, certificates, and passwords. This Firefox extension uses semantic Web technology to automatically enter the one-time password for a user. The WiKID token supports multiple WiKID domains, eliminating the need for a token 'keychain'.
This article helps you do some planning ahead to help improve the security of your Ajax applications, whether they're located on servers, client-side, or networks. Because security is critical to not only developers but also to testers, system administrators, and potential users, being aware of and resolving potential security issues before they happen can make your development team's and user's experiences trouble-free.
Learn
- The entire series by Judith M. Myerson offers information on how to work with Web services in enterprise-wide SOAs.
- Learn more about aSSL, HTML Protector, AjaxDNS tools, and Despoof.
- Get details on Mozilla Firefox.
- Want more information on Ajax tools? Read about them in "Survey of Ajax tools and techniques" (Gal Shachor, Yoav Rubin, Shmulik London, Shmuel Kallner, developerWorks, July 2007).
- Read Judith M. Myerson's The Complete Book of Middleware, which focuses on the essential principles and priorities of system design and emphasizes the new requirements brought forward by the rise of e-commerce and distributed integrated systems.
- Get the business insight and the technical know-how to ensure successful systems integration by reading Enterprise Systems Integration, Second Edition.
- Bring your organization into the future with RFID in the Supply Chain which explains business processes, operational and implementation problems, risks, vulnerabilities, and security and privacy.
- Visit the technology bookstore for books on these and other technical topics.
- Check out the Ajax Resource Center, your one-stop shop for information on the Ajax programming model, including articles and tutorials, discussion forums, blogs, wikis, events, and news. If it's happening, it's covered here.
Get products and technologies
- IBM trial products for
download: Build your next development project with IBM trial software,
available for download directly from developerWorks.
Discuss
- Participate in the discussion forum.
- developerWorks blogs: Get involved in
the developerWorks community.
Table of contents
Next steps from IBM
Create rich Internet applications using WebSphere Portal Express Web 2.0 technologies.
- Try: WebSphere Portal Express
- Article: Get started using Ajax and WebSphere Portal Express
- Tutorial: Quickly build a an Ajax-enabled WebSphere Portal Express Web application
- Demo: Architecture, design, and construction using the IBM Rational Software Delivery Platform: AJAX
- Webcast: Agile development secrets - steps to succeed with agile practices
- Buy: WebSphere Portal Express
