|
Modern templating engines. Most modern Web development platforms provide a templating engine that can automatically HTML-encode any dynamic data being interpolated into the template. Some examples:
[IMAGE]
Some even have a way to globally escape all rendered values unless specifically asked otherwise. Your code should take advantage of these tools as much as possible, only allowing unescaped HTML to be rendered if it was generated by your application directly, or via parsing a markup language.
Testing, monitoring and reporting. Finally, take advantage of the testing framework provided by your development platform. Perform unit testing on each security layer, ensuring that data validation and representation validation work with known examples of potential threats as test input. Perform functional testing and use some kind of user-spoofing testing technique to ensure the chain from browser to server and back. Make sure to run those tests often, locally and in a continuous integration environment.
With the advent of modern JavaScript unit t...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
esting frameworks, your client-side logic should be as thoroughly tested as your server-side code.
HAPPY AND HOLISTIC
Ajax requires a thorough application of techniques already proven to traditional Web apps. Server-side validation needs to be applied to data arriving from the client, and sometimes, that validation needs to include the use of a standard parser. Outbound representations need to be verified against their intended use.
Organizations should take a comprehensive, holistic approach to application security by using validation methods on both sides of the untrusted boundary. This comprehensive approach needs to include thorough testing of the server and client-side logic. You need to understand how to debug Ajax apps using tools like FireBug, the IE Developer Toolbar and others.
As long as you adhere to primary rules of Web security--"All input is evil until proven otherwise," and "Data must be validated as it crosses the boundary between untrusted and trusted environments"--then Ajax shouldn't impact the security of the application.
|
