Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Integration “mashups” cross site scripting.

Published byClement Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "Cross Site Integration “mashups” cross site scripting."— Presentation transcript:

1 Cross Site Integration “mashups” cross site scripting

2 Server Side Server code fetches data or services Has little to do with this course Can involve XML or SQL to remote servers Data may include HTML Data may include javascript Man-in-the-middle attacks?

3 3 rd Party Do you trust them? When they update will it break you? When they go broke will it break you? Do they send any javascript code or URLs used in links? javascript can do ANYTHING to you URLs can send people to fake sites

4 AJAX protocol is XML (SOAP) data is often XML Based upon hack of invisible frames HTML pages read by javascript Most often used in a framework which just lifts HTML fragments from the data

5 AJAX Security limitations are similar to javascripting frames Same website policy! can’t load external data server-side data relays Easy access to XML data sources XML is powerful…

6 Examples? Libraries are always used: jQuery, etc Requires server side program Requires some XML data this could be a minimal wrapper http://www.w3schools.com/AJAX http://www.ajaxdaddy.com

7 Issues DO NOT OVER DO IT! High server load / High bandwidth slow XML over slow HTTP Server relay needs bandwidth Utilizing XML may be work XML processing is cpu intensive

8 3 rd Party Do you trust them? When they update will it break you? When they go broke will it break you? Do they send any javascript code or URLs used in links? javascript can do ANYTHING to you URLs can send people to fake sites

9 Javascript Almost no security limitations exec() of code can be limited to making objects JSON (JavaScript Object Notation) easier, smaller, faster than XML Code is more powerful / flexible

10 JSON For speed and size most use JSON code can be written in JSON most code libraries are in JSON APIs not uniform! Heavily depend on browser garbage collection - once script is loaded you can’t unload it

11 Variable Method var o = {json &could include code}; var x = “stringified code”; var loaded=1; loading function looks for loaded==1 o: loop object & copy or exec x: exec() runs the string

12 Wrapped javascript code sent as string data wrap in HTML (invisible frame or part of a visible frame) wrap in AJAX This delays running the SCRIPT so you can “securely” exec it or parse it

13 Library Style Provides a set of functions to do what needs to be done often handle loading of JSON (or AJAX) Function parameters used for customization CSS of the generated HTML

14 Examples http://disqus.com Online comments, no javascript API CSS to format, just a SCRIPT file http://www.google.com/ig/directory?syn d=open Google gadgets js scripts Some have API

15 API/Globals/Query API- their javascript interface (trust?) You call their functions with settings Globals- you define objects with the settings before running their code Query - you send settings in the Query part of requesting the data

16 3 rd Party Do you trust them? When they update will it break you? When they go broke will it break you? Do they send any javascript code or URLs used in links? javascript can do ANYTHING to you URLs can send people to fake sites

17 Google Maps 1 st to popularize rich javascript applications Has a Javascript API - add your own points on the map Was early to popularize “mashups” combining datasets with location data http://code.google.com/apis/maps/documentat ion/javascript/

18 Plug-ins Flash, Silverlight, A/V, ActiveX Browser plugs have little security Plug-ins may have javascript APIs Plug-ins may have their OWN scripting (flash uses javascript)

19 Examples Youtube embedded Paste-in HTML code Basically its a flash plug-in embed External video / audio content Quicktime,, etc “super” cookies - use plug-ins to circumvent privacy

Download ppt "Cross Site Integration “mashups” cross site scripting."

Similar presentations

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.

Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.

WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.
More APIs: Web Services CMPT 281. Announcements Project milestone Lab: – Web services examples.

More APIs: Web Services CMPT 281. Announcements Project milestone Lab: – Web services examples.
A closer look Dynamic Webpages Jessica Meyerson March 1, 2011.

A closer look Dynamic Webpages Jessica Meyerson March 1, 2011.
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Design Basic Concepts.

Web Design Basic Concepts.
Prof. James A. Landay University of Washington Spring 2008 Web Interface Design, Prototyping, and Implementation Rich Internet Applications: AJAX, Server.

Prof. James A. Landay University of Washington Spring 2008 Web Interface Design, Prototyping, and Implementation Rich Internet Applications: AJAX, Server.
PLUG INS flash, quicktime, java applets, etc. Browser Plug-ins Netscape wanted a method to extend features of the browser became an unofficial standard.

PLUG INS flash, quicktime, java applets, etc. Browser Plug-ins Netscape wanted a method to extend features of the browser became an unofficial standard.
Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.

Lightning Talk Fred Rodriguez Nguyen Do CPSC 473 May 6, 2012.
AJAX Chat Analysis and Design Rui Zhao CS5260 2012SPG UCCS.

AJAX Chat Analysis and Design Rui Zhao CS SPG UCCS.
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11
Databases.  Multi-table queries  Join ▪ An SQL JOIN clause is used to combine rows from two or more tables, based on a common field between them. 

Databases.  Multi-table queries  Join ▪ An SQL JOIN clause is used to combine rows from two or more tables, based on a common field between them. 
ASP.NET + Ajax Jesper Tørresø ITNET2 F08. Ajax Ajax (Asynchronous JavaScript and XML) A group of interrelated web development techniques used for creating.

ASP.NET + Ajax Jesper Tørresø ITNET2 F08. Ajax Ajax (Asynchronous JavaScript and XML) A group of interrelated web development techniques used for creating.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CSCI 6962: Server-side Design and Programming Web Services.

CSCI 6962: Server-side Design and Programming Web Services.
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
1 In the good old days... Years ago… the WWW was made up of (mostly) static documents. –Each URL corresponded to a single file stored on some hard disk.

1 In the good old days... Years ago… the WWW was made up of (mostly) static documents. –Each URL corresponded to a single file stored on some hard disk.

Similar presentations

Ads by Google