Tuesday, August 4, 2009

Ajax and Mashup Security

Ajax and mashups represent two new Web application development approaches that both fit under the Web 2.0 umbrella.


Asynchronous JavaScript + XML (Ajax) allows user interaction with Web pages to be decoupled from the Web browser's communication with the server. In particular, Ajax drives mashups, which integrate disparate content or services into a single user experience. However, Ajax and mashup technology introduce new types of threats because of their dynamic and multidomain nature. It is important to understand these threats and to avoid them by adhering to some best practices.


A mashup is a web application that combines content from more than one source into an integrated experience. Usually, the mashup components interact with each other. In the classic example of a mashup, a Craigslist component is combined with a mapping component (e.g., Google or Yahoo maps) such that when a user clicks on a new Craigslist entry, the mapping component updates its view to show the new address.

Mashups typically allow the end user to discover and integrate third party, Ajax-powered mashup components onto the mashup's canvas. Examples in the consumer social networking space include Facebook Widgets and MySpace Widgets, which end users can discover and insert into their pages.

From a technology perspective, mashup components represent Ajax-powered "mini applications" that are assembled into an Ajax-powered mashup container application that provides a framework for the components to communicate with each other. Sometimes the mashup container application enables cross-site communications by providing proxy services to allow server-side redirection to Web servers that are associated with a given mashup component.

Here is a whitepaper from Open Ajax Alliance on Ajax and mashup security that you may wish to peruse.

Ajax and Mashup Security

Reblog this post [with Zemanta]

"Web Application Security — How to Minimize Prevalent Risk of Attacks"

Vulnerabilities in web applications are now the largest vector of enterprise security attacks.

Stories about exploits that compromise sensitive data frequently mention culprits such as "cross-site scripting," "SQL injection," and "buffer overflow." Vulnerabilities like these fall often outside the traditional expertise of network security managers.

To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide covers:

  • typical web application vulnerabilities
  • comparison of options for web application vulnerability detection
  • QualysGuard Web Application Scanning solution

Offered Free by: Qualys, Inc.



Post a Comment