Asynchronous Javascript And Xml Security

AJAX is becoming more popular as the web demands seamless use, although security issues come to the forefront as a result.

Security should always be at the forefront of any web application. Especially when databases containing user information are concerned. Whilst AJAX is delivering some of the best interactive web experiences in years, security between client and server now becomes an issue.

Ajax essentially can produce many threads of communication between the client and the server at the same time. One click on an AJAX enabled web page could produce any number of communication threads to the server from the client.

With the use of PHP, AJAXcan be implemented in a more secure fashion, although planning is still the most vital aspect to developing any secure AJAX web application (as well as testing of course).

Producing Secure AJAX PHP web applications simply

One of the simplest methods of securing AJAX altogether is to use SSL certificates on your web server. Once you have a secure web server configuration, implement session cookies within your PHP script(s) and validate the session every time an AJAX request is made. Then ensure all of your AJAX requests are passed to the secure server (https://).

With SSL certificates any information passed between the client (web browser) and the server (web server) is encrypted and, it has been claimed, cannot be broken once the SSL connection is established. Another alternative SSL provider is CACERT. They provide free SSL certificates to community.

The problem with this is scalability. What if you are a small business and don’t have the resources to employ an SSL capable web server, the technical ability to implement SSL correctly or the cash to purchase these services? Well at this stage of the game you will be stuck if you want to implement AJAX on your web site with a near to nothing budget.

This doesn’t help the uptake of AJAX for web applications and is already slowing the deployment of AJAX to the majority of web sites. It is surprising how many web sites out there are still stuck in the 90’s.

Why AJAX? The reason for AJAX’s increased deployment is the advent of web2.0. With web2.0 your web site is supposed to be conversant and highly interactive. This is not just a fad of the techies within web development, but realised directly as a result of people using the web. People visiting your web site now expect to be entertained and involved. Even the most boring of web sites can now provide interaction for the site visitor. Like predictive text on a mobile phone, Google have Google Suggest (http://www.google.com/webhp?complete=1&hl=en), just one example of an interactive web 2.0 application.

Producing Secure AJAX PHP web applications thoroughly

Ok, so implementation of SSL and Sessions can greatly improve your AJAXsecurity, but you can go even further.

Even if you don’t have SSL certificates, you can improve your AJAX security with PHP by hashing your communication strings between AJAX and the SERVER. Using a hash algorithm you can produce a system similar to SSL, without doing all the server stuff. Although recommendations still remain with obtaining a SSL certificate for your web application.

All data between the client and the server can be serialised using a proprietary hash algorithm. With the additional use of Sessions within PHP you can then start to see how robust this type of solution can become.

For information about producing your own hash algorithms check out the phpclass “class hash crypt” on http://www.phpclasses.org/browse/package/2982.html.

Continuing with hashing strings; when a client starts a session, distribute a unique key to the client and store that key on the server. The client-side script can then include this key in the hash algorithm and serialise the communication. The server would then pick up the communication, check the session exists, unpack the communication using the privately stored key and then read the data.

These keys can then be changed as each request is made. One concern with this method is that as AJAX is based on asynchronous communication, several threads of communication could be started at once. Changing the key like the above example would fail. If the client did not receive the amended key prior to sending the next/concurrent thread, then the server API would not be able to unpack the data. Unless the client waited until the server responded to each request, therefore updating the key prior to re-communicating. There are still problems here too. The list of problems with AJAX security goes on and on.

Here are a few pointers for developing AJAX and PHP: -
1) Never use GET when communicating between client & server.
2) Session data is transmitted from the client every time a request to the server is made. Therefore, without SSL your session cookie data is visible if sniffed.
3) Requests by the XmlHttpRequest object can only be made to the originating server. Although don’t forget to do the server checks anyway. Some people also claim that XSS (Cross Site Scripting) is possible using XmlHttpRequest.
4) Do as much authentication on the server side as possible without deprecating performance. Check all the obvious, e.g. user agent is still the same.
5) Instruct the client to place certain information in the header of the XmlHttpRequest and see if the requests to the server match or not.
6) Mission critical, personal or business related data should be kept outside of the AJAX loop unless you are 100% certain there are no security flaws.

As AJAX has been around for some time now, there has been significant development into making AJAX secure. Although holes are still being found.

The following are a couple of resources relating to technology that could help when developing a secure AJAX web application.
Description and Examples of JSON - http://en.wikipedia.org/wiki/JSON
Home Page of XOAD - http://wiki.xoad.org/index.php?title=Wiki_Home
Download Page of XOAD - http://wiki.xoad.org/index.php?title=Download
Home Page of SAJA - http://saja.sourceforge.net/
Download Page of SAJA - http://sourceforge.net/project/showfiles.php?group_id=156741

Checking your AJAX security

One of the most expensive aspects when developing a secure web application might be security.

If you are developing a web application that stores personal, business or mission critical information, then you no doubt need to provide security.

Security should be at the forefront of any project that has any of the above elements and if you are employing AJAX technology, then your security budget may just have to treble.

Even if you have developed your AJAX application and are pretty certain of its integrity and security, it would be well worth checking it.

Denimgroup have released a product for the .NET platform called Sprajax that has been published open source and can be downloaded from http://www.denimgroup.com/Sprajax/Default.aspx. The only downfall for Sprajax is that it is platform dependant (.NET). Hopefully a cross platform (PHP) version will be available soon.

It is helpful to follow some of the security companies too, as they are mostly at the forefront of these issues and some of them release their findings to the general public.

The http://www.webappsec.org/ is a great resource, although it is difficult for a novice to identify bugs found in AJAX and other web apps. Rather technical too.

CNET is a great worldwide resource at
http://news.com.com/The+security+risk+in+Web+2.0/2100-1002_3-6099228.html

And of course, keep your eyes on this post too.