Ajax and interactive Web Services are up Web2.0 applications girders. The technical innovation has brought to the application of the new security challenges.
This article describes a number of methods, tools and techniques to study the application of Web2.0 in security issues, introduced the use of Firefox and its plug-in to find security holes and positioning. In this paper, mainly in the following areas:
(1) Web2.0 application architecture and its security problems;
(2) Web2.0 assessment of the security challenges faced by, for example, found hidden calls, network and client reptiles call the logic of the discovery;
(3) the use of debugging tools Firebug, found XHR (XmlHttpRequest) call;
(4) the use of tools Chickenfoot, simulation of browser event automation implementation;
(5) the use of debugging tools Firebug, set breakpoints, single-step application of Web2.0 debugging;
(6) vulnerabilities detection methods.
Second, Web2.0 Application
Web2.0 as the next generation of Web applications, there is a lot of integrated technology. One, XML-driven Web Services running on SOAP, XML-RPC on, REST (Representational State Transfer) framework will be given resources to Web-centric applications has brought great convenience. Web2.0 technology to use Ajax and rich Internet application components, such as Flash, to provide a powerful end-user application interface.
Web2.0 technology innovation to the browser client and server between the Web applications and communication mechanism has had a major impact. At the same time, technological innovations that have applications to the Web has brought new security challenges.
Such as Yamanner, Samy and Spaceflash new worms such as damage to the client Ajax framework to provide a new hacker attack means to threaten the store on the client host of sensitive security information.
Figure 1 Web2.0 framework
Web2.0 the structure shown in Figure 1, is on the left side of the browser process can be divided into the following levels:
(1) layer, said: HTML / CSS to provide the browser window to display the program;
(2) to deal with the logic level: in a browser to run JavaScript in charge of the business logic and the logic of the implementation of the communication. Ajax drive components at this layer;
(3) Transport Layer: XMLHttpRequest object to provide a client browser and asynchronous communication between the server and XML data exchange mechanism, where the use of the XMLHttpRequest object HTTPs or HTTP protocol.
Server-side components in the right side of Figure 1, located in the server behind a firewall, which includes a configured Web Services and traditional Web application resources. Ajax resources to run a client browser, you can directly with the XML-based Web Services "dialogue" and to exchange data without refreshing the entire page. The data exchange process for the client user is transparent, in other words, users do not feel it during the browser to refresh the page. Refresh the page and redirect is the first generation of Web applications, an integral part of, but in the era of Web2.0, Ajax of these operations have been replaced by asynchronous operation. (Editor: Li Lei)
Loading...
