Asynchronous Javascript And Xml Security

AJAX is becoming more popular as the web demands seamless use, although security issues come to the forefront as a result.

Security should always be at the forefront of any web application. Especially when databases containing user information are concerned. Whilst AJAX is delivering some of the best interactive web experiences in years, security between client and server now becomes an issue.

Ajax essentially can produce many threads of communication between the client and the server at the same time. One click on an AJAX enabled web page could produce any number of communication threads to the server from the client.

With the use of PHP, AJAXcan be implemented in a more secure fashion, although planning is still the most vital aspect to developing any secure AJAX web application (as well as testing of course).

Producing Secure AJAX PHP web applications simply

One of the simplest methods of securing AJAX altogether is to use SSL certificates on your web server. Once you have a secure web server configuration, implement session cookies within your PHP script(s) and validate the session every time an AJAX request is made. Then ensure all of your AJAX requests are passed to the secure server (https://).

With SSL certificates any information passed between the client (web browser) and the server (web server) is encrypted and, it has been claimed, cannot be broken once the SSL connection is established. Another alternative SSL provider is CACERT. They provide free SSL certificates to community.

The problem with this is scalability. What if you are a small business and don’t have the resources to employ an SSL capable web server, the technical ability to implement SSL correctly or the cash to purchase these services? Well at this stage of the game you will be stuck if you want to implement AJAX on your web site with a near to nothing budget.

This doesn’t help the uptake of AJAX for web applications and is already slowing the deployment of AJAX to the majority of web sites. It is surprising how many web sites out there are still stuck in the 90’s.

Why AJAX? The reason for AJAX’s increased deployment is the advent of web2.0. With web2.0 your web site is supposed to be conversant and highly interactive. This is not just a fad of the techies within web development, but realised directly as a result of people using the web. People visiting your web site now expect to be entertained and involved. Even the most boring of web sites can now provide interaction for the site visitor. Like predictive text on a mobile phone, Google have Google Suggest (http://www.google.com/webhp?complete=1&hl=en), just one example of an interactive web 2.0 application.

Producing Secure AJAX PHP web applications thoroughly

Ok, so implementation of SSL and Sessions can greatly improve your AJAXsecurity, but you can go even further.

Even if you don’t have SSL certificates, you can improve your AJAX security with PHP by hashing your communication strings between AJAX and the SERVER. Using a hash algorithm you can produce a system similar to SSL, without doing all the server stuff. Although recommendations still remain with obtaining a SSL certificate for your web application.

All data between the client and the server can be serialised using a proprietary hash algorithm. With the additional use of Sessions within PHP you can then start to see how robust this type of solution can become.

For information about producing your own hash algorithms check out the phpclass “class hash crypt” on http://www.phpclasses.org/browse/package/2982.html.

Continuing with hashing strings; when a client starts a session, distribute a unique key to the client and store that key on the server. The client-side script can then include this key in the hash algorithm and serialise the communication. The server would then pick up the communication, check the session exists, unpack the communication using the privately stored key and then read the data.

These keys can then be changed as each request is made. One concern with this method is that as AJAX is based on asynchronous communication, several threads of communication could be started at once. Changing the key like the above example would fail. If the client did not receive the amended key prior to sending the next/concurrent thread, then the server API would not be able to unpack the data. Unless the client waited until the server responded to each request, therefore updating the key prior to re-communicating. There are still problems here too. The list of problems with AJAX security goes on and on.

Here are a few pointers for developing AJAX and PHP: -
1) Never use GET when communicating between client & server.
2) Session data is transmitted from the client every time a request to the server is made. Therefore, without SSL your session cookie data is visible if sniffed.
3) Requests by the XmlHttpRequest object can only be made to the originating server. Although don’t forget to do the server checks anyway. Some people also claim that XSS (Cross Site Scripting) is possible using XmlHttpRequest.
4) Do as much authentication on the server side as possible without deprecating performance. Check all the obvious, e.g. user agent is still the same.
5) Instruct the client to place certain information in the header of the XmlHttpRequest and see if the requests to the server match or not.
6) Mission critical, personal or business related data should be kept outside of the AJAX loop unless you are 100% certain there are no security flaws.

As AJAX has been around for some time now, there has been significant development into making AJAX secure. Although holes are still being found.

The following are a couple of resources relating to technology that could help when developing a secure AJAX web application.
Description and Examples of JSON - http://en.wikipedia.org/wiki/JSON
Home Page of XOAD - http://wiki.xoad.org/index.php?title=Wiki_Home
Download Page of XOAD - http://wiki.xoad.org/index.php?title=Download
Home Page of SAJA - http://saja.sourceforge.net/
Download Page of SAJA - http://sourceforge.net/project/showfiles.php?group_id=156741

Checking your AJAX security

One of the most expensive aspects when developing a secure web application might be security.

If you are developing a web application that stores personal, business or mission critical information, then you no doubt need to provide security.

Security should be at the forefront of any project that has any of the above elements and if you are employing AJAX technology, then your security budget may just have to treble.

Even if you have developed your AJAX application and are pretty certain of its integrity and security, it would be well worth checking it.

Denimgroup have released a product for the .NET platform called Sprajax that has been published open source and can be downloaded from http://www.denimgroup.com/Sprajax/Default.aspx. The only downfall for Sprajax is that it is platform dependant (.NET). Hopefully a cross platform (PHP) version will be available soon.

It is helpful to follow some of the security companies too, as they are mostly at the forefront of these issues and some of them release their findings to the general public.

The http://www.webappsec.org/ is a great resource, although it is difficult for a novice to identify bugs found in AJAX and other web apps. Rather technical too.

CNET is a great worldwide resource at
http://news.com.com/The+security+risk+in+Web+2.0/2100-1002_3-6099228.html

And of course, keep your eyes on this post too.

Yahoo! have released their version of Google's sitemaps/webmaster tools (Yahoo! Siteexplorer).

Yahoo!’s siteexplorer allows you to authenticate your own sites. Similar to Google’s webmaster tools. In essence you can tell Yahoo! That a particular web site is yours. This not only allows you to submit feeds to Yahoo!, but it also provides you with more information about your site.

You can submit feeds through the siteexplorer GUI. This allows you to effectively provide Yahoo! With a sitemap of your web site.

Yahoo! Still have the BETA aspect to the Site Explorer logo, but the service looks great and whilst still in BETA release, obviously provides the webmaster with the right set of tools to manage and update the Yahoo! Index with their updated web site.

High Image content web sites confusing to optimise for the search engines.

As the search engines are keyword driven you might think your Search Engine Optimisation campaign may suffer due to no text. You could be forgiven for thinking that high image web sites are devoid of keywords and therefore wont work in the natural/organic results.

By using aspects of modern markup you can supply the browser and the search engine with relevant information about those images.

You can even take these modern aspects and turn them to everyones advantage by making your web site 100% accessible.

Accessibility for web sites goes beyond the realms of just high contrast colours for high visibility. Accessibility provides everyone with tool tips, hints, alternative text for non-image browsers. So, behind all those images could be information required for accessibility, non-image browsers, the search engines and everyone else.

In reality, not only will your web site contain alternative descriptions for accessibility etc... It will make your web site available to a wider audience. This is not to say, right go and fill your web site with images. This is to say that if you have an image based web site, then your search engine results are not necessarily waving in the wind.

Good news to all those image fanatics.

The definition of a webmaster is someone who has mastered the web. Therefore it must be a contradiction in terms to have a novice webmaster.

How can you have a novice master at anything for that matter? There are certainly clear steps that can be taken to become a webmaster, but these steps are taken over years, not days or even weeks. There are certain subjects such as DNS, TCP/IP, HTML, SCRIPTING, HOSTING to name but a few that have to be mastered, if not, at least understood. This is not to say that the position of becoming a webmaster is only open to a minority.

This article is not supposed to antagonise people either, but to become a master at anything takes time, commitment and focus. There are no novices in the world of masters.

Do you think they would put a novice golfer into the Golf masters and release a statement on the lines of: -

'Its ok, he’s a novice master.'

I don’t think so.

For all those inspired people that wish to become webmasters, good luck and best wishes. The industry needs more good web masters, but not novice webmasters.

The inspiration for this article comes from all those novice webmasters out there...

Adobe and Macromedia merged in 2005, but we still haven’t seen anything prolific from them. You would expect a large corporate like Adobe and Macromedia to have produced something of note within a year. Yet we haven’t seen any world rocking design or development program updates.

Looking at the bundle packages available from Adobe, they are still packaging the Macromedia suite and the Adobe suite as individual products.

So, when are we to expect new products from these guys?
Not in the near future by the looks of it. Adobe mention on their site that you will continue to receive upgrades if you purchase a bundle product, but nothing about combining the likes of Adobe’s Go-Live and Macromedia’s Dreamweaver.

You would have thought that the combined knowledge of Adobe and Macromedia would have produced groundbreaking products by now…

Watch this space for more news on Adobe’s new products.

When hosting a search engine friendly dynamic web site, custom hosting proves to be the only solution.

Most of the common web hosting solutions are so restricted that truly dynamic web sites are difficult to make totally search engine friendly.

Aspects like .htaccess and mod_rewrite are unavailable using common web hosting solutions. Use of .htaccess and mod_rewrite are almost imperative to get your dynamic web site producing search engine friendly pages.

If your web site is dynamic and you are having problems making your web site search engine friendly, then speak to us to get advice and solutions to help you find that custom hosting solution that fits the bill.

SERVER variables in PHP come in very handy when producing dynamic sites that may move from domain to domain. It is known that absolute links are more sturdy and search engine friendly than relative links.

Ok, theres a question: -
Q: Whats the difference between a relative link and an absolute link?
A: An absolute link will include the whole path to the object (http://www.seocrusade.com/marketing). Whereas a relative link will only include the necessary path info to the object (../marketing).

Right. So now we have established the difference between relative and absolute, the problem you may face is that by using absolute links, you will not be able to move your code between domains without changing the absolute links....

For example, you have a website hosted on www.domaina.com and want to move it to www.domainb.com, but all the link are written http://www.domaina.com in the code. Rather than doing a find and replace on all your domaina to domainb, write your code using $_SERVER['HTTP_HOST']!

for example http:.

Ok, so you may (should) be doing this anyway, but if you're not and your dynamic code is categorised by directory structure, then this is the answer.

Your code can then move from domaina to domainb without any code changes. This only works if your code is categorised by directory structure and not all within the one page.

Have you ever wondered how to change the description Google uses in your search engine results? Well if the description is being taken from your DMOZ listing, then you can instruct Google to use a different description.

This only works if your current description is from DMOZ: -

Add the meta tag to each page you would like to change the description on: -

<meta name="GOOGLEBOT" content="NOODP">

This tells Googlebot to use a description other than the Open Directory Project description. Ok, so you've added the <meta name="description"... tag, but there is still no guarantee that Google will use the description in your own meta data.

Never the less, you will have a good chance of changing your description from the DMOZ description currently applied to your Search Engine Results.

SEO Crusade finally take their web services live. With over 6 months research into the development of SEO Crusade, the services are here for good.

The initial web services that SEO Crusade are providing include web site tracking, Internet marketing, web site development, web site project management and relative support services.

Check out SEO Crusades Ethos to see why we at SEO Crusade are doing what we are doing.