Looking at the Security Issues with Proxy Servers


As Ajax programmers, you first have to face the situation that browsers are attempting to protect their users from us. The biggest issue you have to face as an Ajax programmer is that browsers won’t let you access domains other than your own. This is actually fairly unintelligently implemented, so you have to be careful. The browser does the checking solely based on domain name, which leads to some odd results. For example, you can access other accounts on the same domain, even if they’re not yours, and the browser will be fine with that. On the other hand, if you substitute the IP address for the actual domain name, the browser won’t let you access data that way.

Take a look at Table 15.1, which summarizes the rules a browser uses to determine whether you can access a server-side resource.

Table 15.1: Using Proxies on the Server
Open table as spreadsheet

www.ajaxsuperduperco.com/awww.ajaxsuperduperco.com/b

OK

www.ajaxsuperduperco.com:8080/awww.ajaxsuperduperco.com/b

Not OK

http://www.ajaxsuperduperco.com/ahttps://www.ajaxsuperduperco.com/b

Not OK

www.ajaxsuperduperco.com/awww.203.217.555.201/b

Not OK

www.ajaxsuperduperco.com/adave.ajaxsuperduperco.com/b

Not OK

www.ajaxsuperduperco.com/sam/awww.ajaxsuperduperco.com/frank/b

OK

Although you might look at Table 15.1 with annoyance because it puts restrictions on your code, it also helps preserve your Ajax applications from being hijacked by users who do some cross-server scripting, placing their URL in your applications. However, as you can also see from Table 15.1, the scheme is far from perfect. For example, the recent “Samy” worm used cross-server scripting to exploit the popular Web site MySpace, adding a million “friends” to the author’s friends list.

There’s not very much you can do about cross-server scripting because the hacker operates on client code. Probably the best thing you can do is restrict the users to those that have passwords, and log their activities if security becomes an issue.



Ajax Bible
Ajax Bible
ISBN: 0470102632
EAN: 2147483647
Year: 2004
Pages: 169

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net