Security
In order to protect websites, it is essential to know how it is going to be attacked. One such awareness is to know how to cure cross-site request forgery problem. Though website security may appear hyped, the type of attack that could be made possible justifies the security concerns.
Today let us take a look at a very simple yet effective method to prevent attack in most Ajax based websites and applications:
Cross-Site Request Forgery
When the website starts trusting the user, it is practically the end of the website’s security.
Cross-Site Request Forgery works by accessing your account through your cookie. All the hacker has to do is to embed a picture with a code so that the website will allow the hacker to perform specific actions.
There is actually a basic protection in Ajax that will prevent others from using the above hack. JavaScript by behavior does not allow any image file to be used that easy. However, most of the Ajax based websites rely on user generated content. Because of this function, developers have no choice but to execute authentication.
When you execute constant authentication it will always expose the website’s cookie. For security reasons we cannot do away with authentication and leave it open since everyone would virtually access even the most secured information. To protect the website and online application, instead of single cookie authentication, why not make it a double submit cookie authentication. This trick is possible only in an Ajax based application so hackers will have to work double time to think about the work around for this trick.
There are two ways of protecting your cookie authentication. First, developers can run simple authentication, which is usually before the post. The security measure does not end there. Once authentication has stopped, another function is launched which has stricter version of the rules. It has specific rules that virtually prohibits from suspicious looking cookies to access the website.
There is another version of cookie authentication which also ensures that the website is protected from undesirable cookies. Instead of checking for cookies as they come, developers can develop a website that cookie authentication is requested by the incoming application.
Developers are also required verify incoming cookie to have the value that the server is looking for before any request for information or function is made. This ensures that only trusted domains will access the website which has the actual value the website is looking for. The good thing about this function is that it automatically enables JavaScript in websites and functions that are trying to access the server and application. JavaScript by default will never allow any image linking much less cross-site request forgery.
These two security measures, makes sure that the website is safe enough to accept any cookies and weed out all the possible intruders. Although JavaScript does not allow image linking, there are still other ways of accessing cookie and ultimately hack the website. We will look at most of them one by one in order to protect the newest language that proves RIA could work even better.
