Skip to main content

By clicking Submit, you agree to the developerWorks terms of use.

The first time you sign into developerWorks, a profile is created for you. Select information in your developerWorks profile is displayed to the public, but you may edit the information at any time. Your first name, last name (unless you choose to hide them), and display name will accompany the content that you post.

All information submitted is secure.

  • Close [x]

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

By clicking Submit, you agree to the developerWorks terms of use.

All information submitted is secure.

  • Close [x]

Improve web application security with jQuery Mobile

Learn how to secure your mobile applications

John Leitch (john.leitch5@gmail.com), Application Security Consultant, Freelance
John Leitch is an independent application security consultant living in Grand Rapids, Michigan. Working primarily with web applications, he specializes in fuzz testing, dynamic analysis, and code review. Always on the hunt for bugs, he frequently releases vulnerability advisories.

Summary:  Many web developers consider security a low priority. Security is frequently relegated to the end of the software development life cycle, as little more than an afterthought. Sometimes, software security is neglected entirely, resulting in applications rife with common vulnerabilities. Because such bugs might manifest only under conditions present during an attack, they can be hard to detect prior to such events without knowledge of how the exploitation process works. Using a web application built with jQuery Mobile, PHP, and MySQL, this tutorial shows how many types of vulnerabilities occur along with common methods of exploitation and, most importantly, their respective countermeasures.

Date:  03 May 2011
Level:  Intermediate PDF:  A4 and Letter (186 KB | 34 pages)Get Adobe® Reader®

Activity:  45533 views
Comments:  

Before you start

This tutorial is for jQuery Mobile developers interested in securing their applications. It assumes that the reader has basic knowledge related to web application development using PHP, MySQL, JavaScript, XHTML, and CSS. Also, this tutorial is in no way comprehensive; it is intended as an introduction to web application security. For further reading on the issues covered here, plus other relevant topics, check Resources.

About this tutorial

Frequently used acronyms

  • API: Application program interface
  • CSRF or XSRF: Cross-site request forgery
  • CSS: Cascading Stylesheets
  • HTML: Hypertext Markup Language
  • HTTP: Hypertext Transfer Protocol
  • OS: Operating system
  • SQL: Structured Query Language
  • URL: Uniform Resource Locator
  • W3C: World Wide Web Consortium
  • XHTML: Extensible Hypertext Markup Language
  • XML: Extensible Markup Language
  • XSS: Cross-site scripting

With the rise of smart phones and similar devices, web application security has been broadened to include mobile applications. Because of the constraints imposed by the interfaces of many such devices, developers sometimes work with the flawed assumption that client-side input validation is sufficient for protection against attacks. However, requests sent by mobile applications can be manipulated in the same way as traditional web applications. Because of this vulnerability, the client cannot be trusted. With sensitive data sometimes stored on devices and the servers that they use, the protection of users from black-hat hackers is critical. This tutorial shows how several types of vulnerabilities occur and some of the countermeasures that can be put in place to mitigate attackers trying to exploit them. The following types of vulnerabilities are covered:

  • Cross-site scripting
  • Cross-site request forgery
  • Broken access control
  • SQL injection
  • File inclusion
  • OS command injection
  • Scripting language injection
  • Arbitrary file creation

All vulnerabilities and countermeasures are demonstrated using a sample application built with jQuery Mobile, PHP, and MySQL. (See Download for a .zip file with the sample code.)


Prerequisites

You will need the following tools to complete this tutorial:

  • Web server — You can use any web server with PHP support. Many of the exploits throughout this tutorial are Windows specific, but they can be adapted for other operating systems. Suggested web servers are Apache or the IBM HTTPServer.
  • PHP — Because some attacks described do not work against the latest version, PHP 5.3.1 was used. Such incompatibilities are noted throughout the tutorial.
  • MySQL — This tutorial uses MySQL, an open source database. Version 5.1.41 was used for this tutorial, but other versions should work fine.
  • Web debugging proxy — Because a way of manipulating HTTP requests is necessary, a web debugging proxy is very helpful. Throughout this tutorial, Fiddler v2.3.2.4 is used, but any other web debugger proxy that allows for modification of requests works.
  • jQuery Mobile — The front end of the sample application built in this tutorial uses jQuery Mobile 1.0 Alpha 3.

See Resources for helpful links.

1 of 14 | Next

Comments



Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=XML, Open source, Web development
ArticleID=651335
TutorialTitle=Improve web application security with jQuery Mobile
publish-date=05032011
author1-email=john.leitch5@gmail.com
author1-email-cc=nancy_hannigan@us.ibm.com

Tags

Help
Use the search field to find all types of content in My developerWorks with that tag.

Use the slider bar to see more or fewer tags.

Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).

My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Use the search field to find all types of content in My developerWorks with that tag. Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere). My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).

Try IBM PureSystems. No charge.