{"id":305,"date":"2009-11-12T14:05:00","date_gmt":"2009-11-12T19:05:00","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=305"},"modified":"2009-11-12T16:15:18","modified_gmt":"2009-11-12T21:15:18","slug":"development-issues-within-ajax-applications-how-to-divert-threats","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/","title":{"rendered":"Development Issues within AJAX Applications: How to Divert Threats"},"content":{"rendered":"<p>This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment.\u00a0 My notes are below:<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Agenda<\/strong><\/span><\/p>\n<ul>\n<li>What is AJAX?<\/li>\n<li>AJAX and Web App Security<\/li>\n<li>AJAX and Test Automation<\/li>\n<li>Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking<\/li>\n<li>AJAX Best Security Practices<\/li>\n<li>Demo<\/li>\n<li>Q&amp;A<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>What is AJAX?<\/strong><\/span><\/p>\n<ul>\n<li>Asynchronous JavaScript And XML<\/li>\n<li>AJAX allows for a new generation of more dynamic, more interactive, faster Web 2.0 applications<\/li>\n<li>AJAX leverages existing technologies, such as DHTML, CSS&lt; DOM, JSON, and the (a)synchronous XMLHTTPRequest (XHR)<\/li>\n<li>Not just a set of technologies, but a new Web application development approach and methodology<\/li>\n<li>XHR allows for (a)synchronous server requests without the need for a full page reload<\/li>\n<li>XHR &#8220;downstream&#8221; payload can be\n<ul>\n<li>XML, JSON, HTML\/JavaScript snippets, plain text, serialized data, basically pretty much anything&#8230;<\/li>\n<\/ul>\n<\/li>\n<li>Responses often get further processed using JavaScript and result in dynamic web page content changes through DOM modifications<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX Code Example<\/strong><\/span><\/p>\n<p><code>xhr = new XMLHttprequest();<br \/>\nxhr.open(\"GET\", AJAX_call?foo-bar, true);<br \/>\nxhr.onreadystatechange = processResponse;<br \/>\nxhr.send(null);<br \/>\nfunction processResponse() {<br \/>\nif (xhr.readyState == 4) {<br \/>\nif (request.status == 200) {<br \/>\nresponse = xhr.responseText;<br \/>\n...<br \/>\n}<br \/>\n}<br \/>\n}<\/code><\/p>\n<p><span style=\"text-decoration: underline;\"><strong>XHR and the Same Origin Policy<\/strong><\/span><\/p>\n<ul>\n<li>Same origin policy is a key browser security mechanism\n<ul>\n<li>To prevent any cross-domain data leakage, etc<\/li>\n<li>With JavaScript it doesn&#8217;t allow JavaScript from origin A to access content\/data from origin B<\/li>\n<li>Origin refers to the domain name, port, and protocol<\/li>\n<\/ul>\n<\/li>\n<li>In the case of XHR, the same origin policy does not allow for any cross-domain XHR requests\n<ul>\n<li>Developers often don&#8217;t like this at all!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Common Cross Domain Workarounds<\/strong><\/span><\/p>\n<p>Cross-domain access is often still implemented by various means, such as:<\/p>\n<ul>\n<li>Open \/ Application (server-based) proxies<\/li>\n<li>Flash &amp; Java Applets (depending on crossdomain.xml)\n<ul>\n<li>Ex: FlashXMLHttpRequest by Julien Couvreur<\/li>\n<\/ul>\n<\/li>\n<li>RESTful web service with JavaScript callback and JSON response\n<ul>\n<li>EX: JSONscriptRequest by Jason Levitt<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX Frameworks<\/strong><\/span><\/p>\n<ul>\n<li>AJAX frameworks are often categorized as either &#8220;Client&#8221; or &#8220;Proxy\/Server&#8221; framework<\/li>\n<li>&#8220;Proxy\/Server&#8221; frameworks sometimes result in unintended method\/functionality exposure<\/li>\n<li>Beware of any kind of &#8220;Debugging mode&#8221; (Ex: Direct Web Remoting (DWR) debug=true)<\/li>\n<li>Remember: Attackers can easily &#8220;fingerprint&#8221; AJAX frameworks<\/li>\n<li>Beware of JavaScript Hijacking\n<ul>\n<li>Don&#8217;t use HTTP GET for &#8220;upstream&#8221;<\/li>\n<li>Prefix &#8220;downstream&#8221; JavaScript with &#8220;while(1);&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\"><span style=\"text-decoration: underline;\"><strong>AJAX and Web App Security<\/strong><\/span><\/p>\n<ul>\n<li>AJAX potentially increases the attack surface\n<ul>\n<li>More &#8220;hidden&#8221; calls mean more potential security holes<\/li>\n<\/ul>\n<\/li>\n<li>AJAX developers sometimes pay less attention to security, due to it&#8217;s &#8220;hidden&#8221; nature\n<ul>\n<li>Basically the old mistake of security by obscurity<\/li>\n<\/ul>\n<\/li>\n<li>AJAX developers sometimes tend to rely on client side validation\n<ul>\n<li>An approach that is just as flawed with or without AJAX<\/li>\n<\/ul>\n<\/li>\n<li>Mash-up calls\/functionality are often less secure by design\n<ul>\n<li>3rd party APIs (Ex: feeds, blogs, search APIs, etc) are often designed with ease of use, not security in mind<\/li>\n<li>Mash-ups often lack clear security boundaries (who validates, who filters, who encodes\/decodes, etc)<\/li>\n<li>Mash-ups often result in untrusted cross-domain access workarounds<\/li>\n<\/ul>\n<\/li>\n<li>AJAX sometimes promotes dynamic code (JavaScript) execution of untrusted response data<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX \/ Web 2.0 and Test Automation<\/strong><\/span><\/p>\n<ul>\n<li>Spidering is more complex than just processing ANCHOR HREF&#8217;s; various events need to be simulated (Ex: mouseover, keydown, keyup, onclick, onfocus, onblur, etc)<\/li>\n<li>Timer events and dynamic DOM changes need to be observed<\/li>\n<li>Use of non-standard data formats for both requests and responses make injection and detection hard to automate<\/li>\n<li>Page changes after XHR requests can sometimes be delayed<\/li>\n<li>In short, you need to have browser like behavior (JavaScript engine, DOM &amp; event management, etc)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Cross-Site Scripting (XSS)<\/strong><\/span><\/p>\n<ul>\n<li>AJAX is changing the game a little bit since the script tag may already be there, just need to look for JSON or JavaScript snippets to inject yourself into<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Cross-Site Request Forgery (CSRF)<\/strong><\/span><\/p>\n<ul>\n<li>Want to send a token for AJAX requests as well<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>JavaScript Hijacking<\/strong><\/span><\/p>\n<ul>\n<li>Attacker code (override Array constructor)<\/li>\n<li>Render the JavaScript on the wire useless to anyone who doesn&#8217;t have access to the code itself<\/li>\n<li>The attacker cannot sanitize the JavaScript since they do not have access to the code<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>AJAX Best Security Practices<\/strong><\/span><\/p>\n<p>Pretty much all the usual Web app security best practices apply:<\/p>\n<ul>\n<li>Analyze and know your security boundaries and attack surfaces<\/li>\n<li>Beware of reliance on client-side security measures<\/li>\n<li>Assume the worst case scenario for all 3rd party interations\n<ul>\n<li>3rd parties can inherently not be trusted!<\/li>\n<\/ul>\n<\/li>\n<li>Be extremely careful when circumventing same origin policy<\/li>\n<li>Avoid\/limit the use of dynamic code\/eval()<\/li>\n<li>Beware of JavaScript Hijacking<\/li>\n<li>Implement anti-CSRF defenses<\/li>\n<\/ul>\n<ul>\n<li><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment.\u00a0 My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[307,4],"tags":[53,319,173,316,320,622,317,318,321],"class_list":["post-305","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-dc-2009","category-web-app-sec","tag-ajax","tag-asynchronous","tag-development","tag-issues","tag-javascript","tag-security","tag-threats","tag-vulnerabilities","tag-xml"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.10 - aioseo.com -->\n\t<meta name=\"description\" content=\"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Josh\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.10\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Web Admin Blog | Real Web Admins.  Real World Experience.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog\" \/>\n\t\t<meta property=\"og:description\" content=\"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2009-11-12T19:05:00+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2009-11-12T21:15:18+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog\" \/>\n\t\t<meta name=\"twitter:description\" content=\"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#article\",\"name\":\"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog\",\"headline\":\"Development Issues within AJAX Applications: How to Divert Threats\",\"author\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\"},\"datePublished\":\"2009-11-12T14:05:00-06:00\",\"dateModified\":\"2009-11-12T16:15:18-06:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#webpage\"},\"articleSection\":\"OWASP AppSec DC 2009, Web Application Security, ajax, asynchronous, development, issues, javascript, Security, threats, vulnerabilities, xml\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.webadminblog.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/#listItem\",\"name\":\"Security\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/#listItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/web-app-sec\\\/#listItem\",\"name\":\"Web Application Security\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/web-app-sec\\\/#listItem\",\"position\":3,\"name\":\"Web Application Security\",\"item\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/web-app-sec\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#listItem\",\"name\":\"Development Issues within AJAX Applications: How to Divert Threats\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/#listItem\",\"name\":\"Security\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#listItem\",\"position\":4,\"name\":\"Development Issues within AJAX Applications: How to Divert Threats\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/security\\\/web-app-sec\\\/#listItem\",\"name\":\"Web Application Security\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\",\"name\":\"Web Admin Blog\",\"description\":\"Real Web Admins.  Real World Experience.\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/\",\"name\":\"Josh\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/17951f69795527f90a4e9cb75ad6c9b3?s=96&d=identicon&r=pg\",\"width\":96,\"height\":96,\"caption\":\"Josh\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#webpage\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/\",\"name\":\"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog\",\"description\":\"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/11\\\/12\\\/development-issues-within-ajax-applications-how-to-divert-threats\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"datePublished\":\"2009-11-12T14:05:00-06:00\",\"dateModified\":\"2009-11-12T16:15:18-06:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#website\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/\",\"name\":\"Web Admin Blog\",\"description\":\"Real Web Admins.  Real World Experience.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog","description":"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A","canonical_url":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#article","name":"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog","headline":"Development Issues within AJAX Applications: How to Divert Threats","author":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"publisher":{"@id":"https:\/\/www.webadminblog.com\/#organization"},"datePublished":"2009-11-12T14:05:00-06:00","dateModified":"2009-11-12T16:15:18-06:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#webpage"},"isPartOf":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#webpage"},"articleSection":"OWASP AppSec DC 2009, Web Application Security, ajax, asynchronous, development, issues, javascript, Security, threats, vulnerabilities, xml"},{"@type":"BreadcrumbList","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com#listItem","position":1,"name":"Home","item":"https:\/\/www.webadminblog.com","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/#listItem","name":"Security"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/#listItem","position":2,"name":"Security","item":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/web-app-sec\/#listItem","name":"Web Application Security"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/web-app-sec\/#listItem","position":3,"name":"Web Application Security","item":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/web-app-sec\/","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#listItem","name":"Development Issues within AJAX Applications: How to Divert Threats"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/#listItem","name":"Security"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#listItem","position":4,"name":"Development Issues within AJAX Applications: How to Divert Threats","previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/web-app-sec\/#listItem","name":"Web Application Security"}}]},{"@type":"Organization","@id":"https:\/\/www.webadminblog.com\/#organization","name":"Web Admin Blog","description":"Real Web Admins.  Real World Experience.","url":"https:\/\/www.webadminblog.com\/"},{"@type":"Person","@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author","url":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/","name":"Josh","image":{"@type":"ImageObject","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/17951f69795527f90a4e9cb75ad6c9b3?s=96&d=identicon&r=pg","width":96,"height":96,"caption":"Josh"}},{"@type":"WebPage","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#webpage","url":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/","name":"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog","description":"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, & JavaScript Hijacking AJAX Best Security Practices Demo Q&A","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/www.webadminblog.com\/#website"},"breadcrumb":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/#breadcrumblist"},"author":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"creator":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"datePublished":"2009-11-12T14:05:00-06:00","dateModified":"2009-11-12T16:15:18-06:00"},{"@type":"WebSite","@id":"https:\/\/www.webadminblog.com\/#website","url":"https:\/\/www.webadminblog.com\/","name":"Web Admin Blog","description":"Real Web Admins.  Real World Experience.","inLanguage":"en-US","publisher":{"@id":"https:\/\/www.webadminblog.com\/#organization"}}]},"og:locale":"en_US","og:site_name":"Web Admin Blog | Real Web Admins.  Real World Experience.","og:type":"article","og:title":"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog","og:description":"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A","og:url":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/","article:published_time":"2009-11-12T19:05:00+00:00","article:modified_time":"2009-11-12T21:15:18+00:00","twitter:card":"summary_large_image","twitter:title":"Development Issues within AJAX Applications: How to Divert Threats | Web Admin Blog","twitter:description":"This presentation was by Lars Ewe, CTO of Cenzic on AJAX applications and trying to explore the different implications of running AJAX in your environment. My notes are below: Agenda What is AJAX? AJAX and Web App Security AJAX and Test Automation Vulnerability Examples: XSS, CSRF, &amp; JavaScript Hijacking AJAX Best Security Practices Demo Q&amp;A"},"aioseo_meta_data":{"post_id":"305","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2025-01-03 22:47:32","updated":"2025-07-17 07:14:32","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\/index.php\/category\/security\/\" title=\"Security\">Security<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\/index.php\/category\/security\/web-app-sec\/\" title=\"Web Application Security\">Web Application Security<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tDevelopment Issues within AJAX Applications: How to Divert Threats\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/www.webadminblog.com"},{"label":"Security","link":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/"},{"label":"Web Application Security","link":"https:\/\/www.webadminblog.com\/index.php\/category\/security\/web-app-sec\/"},{"label":"Development Issues within AJAX Applications: How to Divert Threats","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/11\/12\/development-issues-within-ajax-applications-how-to-divert-threats\/"}],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-4V","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/305","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=305"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/305\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/305\/revisions\/316"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=305"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=305"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=305"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}