AJAX and Web Services Security Overview

Overview

Asynchronous JavaScript and XML (AJAX) and Web Services are currently the most active areas in Web application development. Security issues continue to rise as organizations are diving head first into insecurely implementing new Web technologies without first understanding them. This one-day, hands-on course covers the security issues, mitigation strategies, and general best practices for implementing AJAX and Web Services. We also examine real-world attacks and trends to give you a better understanding of exactly what you're protecting against. The SANS Institute promise is to ensure that you will be able to utilize what you learn the minute you get back to the office.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. Focus will be maintained on security strategies rather than coding level implementation. This course is definitely intended for you if you are tasked with implementing secure Web applications using Web Services or AJAX.

Course Prerequisites

A basic understanding of Web application development (such as the material covered in Security 519: Web Application Security Workshop or equivalent) is required. This course does not cover the background of Web application vulnerabilities and attacks such as SQL Injection, Cross Site Scripting, and Cross Site Forgery; it goes straight into the AJAX application. Programming expertise is not a requirement, but code examples are used to explain how the attacks work.

Sampling of Topics

• Who Should Attend
  • Web Application Developers
  • Web Application Architects
  • Web Operation Managers or Administrators
  • Security Analysts

Laptop

Students attending this course are required to bring their own laptops that are properly configured. There is not enough time in class to help you install your laptop; it must be properly installed and configured before you come to class.

Students are required to bring a laptop with Windows 2000 or XP and the latest Service Packs and patches applied. The minimum hardware requirements are a 1GHz processor, 512M RAM, a CD ROM drive, and a USB slot.

Install the following software on the computer:

• Java Runtime Environment (JRE) (please download from sun.com)
• Firefox (latest version)

Please install VMWare Player on the laptop. VMware player can be downloaded for free at www.vmware.com.

At the beginning of class, you will be given a Linux bootable CD. This CD will be booted within VMWare as a virtual image.

You must have ability to disable host firewall (Windows firewall or other third party firewall) running on your desktop. This usually means you need to have administrative privilege on the machine. The Windows host and Linux host need to talk to each other through the VMWare network interface; a firewall could disallow such communication and render some of the exercises unsuccessful.