Sdsfdsf
Páginas: 5 (1005 palabras)
Publicado: 7 de noviembre de 2012
Improve web application security with jQuery Mobile
Learn how to secure your mobile applications
John Leitch Application Security Consultant Freelance Skill Level: Intermediate Date: 03 May 2011
Many web developers consider security a low priority. Security is frequently relegated to the end of the software development life cycle, as little more than an afterthought. Sometimes, softwaresecurity is neglected entirely, resulting in applications rife with common vulnerabilities. Because such bugs might manifest only under conditions present during an attack, they can be hard to detect prior to such events without knowledge of how the exploitation process works. Using a web application built with jQuery Mobile, PHP, and MySQL, this tutorial shows how many types of vulnerabilitiesoccur along with common methods of exploitation and, most importantly, their respective countermeasures.
Section 1. Before you start
This tutorial is for jQuery Mobile developers interested in securing their applications. It assumes that the reader has basic knowledge related to web application development using PHP, MySQL, JavaScript, XHTML, and CSS. Also, this tutorial is in no waycomprehensive; it is intended as an introduction to web application security. For further reading on the issues covered here, plus other relevant topics, check Resources.
About this tutorial
Frequently used acronyms
• • API: Application program interface CSRF or XSRF: Cross-site request forgery Trademarks Page 1 of 29
© Copyright IBM Corporation 2011 Improve web application security with jQueryMobile
developerWorks®
• • • • • • • • • •
ibm.com/developerWorks/
CSS: Cascading Stylesheets HTML: Hypertext Markup Language HTTP: Hypertext Transfer Protocol OS: Operating system SQL: Structured Query Language URL: Uniform Resource Locator W3C: World Wide Web Consortium XHTML: Extensible Hypertext Markup Language XML: Extensible Markup Language XSS: Cross-site scripting
With the rise ofsmart phones and similar devices, web application security has been broadened to include mobile applications. Because of the constraints imposed by the interfaces of many such devices, developers sometimes work with the flawed assumption that client-side input validation is sufficient for protection against attacks. However, requests sent by mobile applications can be manipulated in the same wayas traditional web applications. Because of this vulnerability, the client cannot be trusted. With sensitive data sometimes stored on devices and the servers that they use, the protection of users from black-hat hackers is critical. This tutorial shows how several types of vulnerabilities occur and some of the countermeasures that can be put in place to mitigate attackers trying to exploit them.The following types of vulnerabilities are covered: • • • • • • • • Cross-site scripting Cross-site request forgery Broken access control SQL injection File inclusion OS command injection Scripting language injection Arbitrary file creation
All vulnerabilities and countermeasures are demonstrated using a sample application built with jQuery Mobile, PHP, and MySQL. (See Download for a .zip filewith the sample code.)
Prerequisites
You will need the following tools to complete this tutorial: • Web server — You can use any web server with PHP support. Many of the exploits throughout this tutorial are Windows specific, but they can be adapted for other operating systems. Suggested web servers are Apache or the IBM HTTPServer. • PHP — Because some attacks described do not work againstthe latest version, PHP 5.3.1 was used. Such incompatibilities are noted throughout the tutorial. • MySQL — This tutorial uses MySQL, an open source database. Version 5.1.41 was used for this tutorial, but other versions should work fine.
Improve web application security with jQuery Mobile Page 2 of 29
ibm.com/developerWorks/
developerWorks®
• Web debugging proxy — Because a way of...
Learn how to secure your mobile applications
John Leitch Application Security Consultant Freelance Skill Level: Intermediate Date: 03 May 2011
Many web developers consider security a low priority. Security is frequently relegated to the end of the software development life cycle, as little more than an afterthought. Sometimes, softwaresecurity is neglected entirely, resulting in applications rife with common vulnerabilities. Because such bugs might manifest only under conditions present during an attack, they can be hard to detect prior to such events without knowledge of how the exploitation process works. Using a web application built with jQuery Mobile, PHP, and MySQL, this tutorial shows how many types of vulnerabilitiesoccur along with common methods of exploitation and, most importantly, their respective countermeasures.
Section 1. Before you start
This tutorial is for jQuery Mobile developers interested in securing their applications. It assumes that the reader has basic knowledge related to web application development using PHP, MySQL, JavaScript, XHTML, and CSS. Also, this tutorial is in no waycomprehensive; it is intended as an introduction to web application security. For further reading on the issues covered here, plus other relevant topics, check Resources.
About this tutorial
Frequently used acronyms
• • API: Application program interface CSRF or XSRF: Cross-site request forgery Trademarks Page 1 of 29
© Copyright IBM Corporation 2011 Improve web application security with jQueryMobile
developerWorks®
• • • • • • • • • •
ibm.com/developerWorks/
CSS: Cascading Stylesheets HTML: Hypertext Markup Language HTTP: Hypertext Transfer Protocol OS: Operating system SQL: Structured Query Language URL: Uniform Resource Locator W3C: World Wide Web Consortium XHTML: Extensible Hypertext Markup Language XML: Extensible Markup Language XSS: Cross-site scripting
With the rise ofsmart phones and similar devices, web application security has been broadened to include mobile applications. Because of the constraints imposed by the interfaces of many such devices, developers sometimes work with the flawed assumption that client-side input validation is sufficient for protection against attacks. However, requests sent by mobile applications can be manipulated in the same wayas traditional web applications. Because of this vulnerability, the client cannot be trusted. With sensitive data sometimes stored on devices and the servers that they use, the protection of users from black-hat hackers is critical. This tutorial shows how several types of vulnerabilities occur and some of the countermeasures that can be put in place to mitigate attackers trying to exploit them.The following types of vulnerabilities are covered: • • • • • • • • Cross-site scripting Cross-site request forgery Broken access control SQL injection File inclusion OS command injection Scripting language injection Arbitrary file creation
All vulnerabilities and countermeasures are demonstrated using a sample application built with jQuery Mobile, PHP, and MySQL. (See Download for a .zip filewith the sample code.)
Prerequisites
You will need the following tools to complete this tutorial: • Web server — You can use any web server with PHP support. Many of the exploits throughout this tutorial are Windows specific, but they can be adapted for other operating systems. Suggested web servers are Apache or the IBM HTTPServer. • PHP — Because some attacks described do not work againstthe latest version, PHP 5.3.1 was used. Such incompatibilities are noted throughout the tutorial. • MySQL — This tutorial uses MySQL, an open source database. Version 5.1.41 was used for this tutorial, but other versions should work fine.
Improve web application security with jQuery Mobile Page 2 of 29
ibm.com/developerWorks/
developerWorks®
• Web debugging proxy — Because a way of...
Leer documento completo
Regístrate para leer el documento completo.