The Network Security. Org

RSS Feed

Brute force attacks against SMBs on the rise Avoiding the scourge of DNS amplification attacks

Restricting Access to your AJAX Services

August 7th, 2006 · No Comments


Services like the XmlHttpProxy for Java are designed to return JavaScript that is evaluated on the ajax.gifclient. Unfortunately, if you are not careful with the design of your services, JSONP techniques could be used to hijack your services. While I’m not saying JSONP is bad, I do highly recommend you carefully track, limit, or restrict access to your application’s services to JavaScript clients. Here are some strategies for doing this.

1. Token Based Restriction - Limit a client access to server-side resources by using tokens. Resources may include URLs, databases, web services, or domain objects which that service may access to complete a request. Tokens may be configured in a file or by using your server’s built-in security features.
2. Unique Hash / Session Based Restriction - When generating a page that accesses the target service you can create a unique hash or key for each client and restrict access based on the existence of the hash. The session management facilities of the servlet API may easily used to track whether or not a conversation has been established.
3. URL Based Restriction - Based on the URL in which the JavaScript is executed you can restrict access to a service.
4. Application Key Based Restriction - An application key is a flexible means of providing access to your service to a set of JavaScript clients.
5. Content-Type / Authentication Based Restriction - You can restrict JavaScript clients outside of the domain from directly accessing your service by using XML possibly in combination with basic or digest authentication.

Let’s look at restricting service access in more detail and how it is handled by the XmlHttpProxy for Java. Greg Murray’s Blog: Restricting Access to your AJAX Services

From around the Web

  • Advertisments