Ajax security
Just saw a good video about Ajax security by Billy Hoffman of HP. I had the pleasure of listening to him at the AjaxWorld Security Bootcamp last year in San Jose. I think he’s a great speaker and he always shows you relevant examples that are easy to understand. The video below includes subjects such as JSON hijacking, function clobbering and more. He also has a book on this topic that I recommend, it’s called Ajax Security
This is the video on YouTube:
FrameworkScanner 0.3
Refactorings, UI enhancements and some new features:
Added CSS analysis (included in the collision matrix), and also the possibility to analyze your own scripts and see if they are 100% compatible with the frameworks in the list. Might be handy in some cases, or not….? 
John Resig and Bertrand Le Roy pointed out some more native classes that should be analyzed (below). These are now included in the scan…
- document
- Element
- Document
- HTMLElement
- HTMLDocument
FrameworkScanner 0.2 – Namespace collision detection
My baby has a name now: FrameworkScanner. It also got a new feature, a namespace conflict matrix which will be handy if you’re considering using more than one library for your site. Let me know if you find any bugs or if you can think of more cool features this beast should have.
Go to FrameworkScanner
Conflict matrix
AJAX frameworks: Global namespace pollution
Recently I had an idea about checking the most popular javascript frameworks & APIs to see how they differ in terms of global namespace pollution.
The result can be seen here
This page loads all the frameworks separately in an iframe and compares the window object against the one of a fresh iframe. I also included information about which builtin JavaScript classes have been augmented, which shows a difference in architectural approach between the frameworks. You can click a row to see the details about the global symbols in the framework/API.
The results vary more than I’d expected and it’s interesting to see the different namespacing strategies at play. YUI/Jquery/Ext keep the numbers down by putting everything in one global object. In debug mode Microsoft assign a name to each function for better stacktrace information when debugging (hence the big number of globals). These symbols are not present in the release mode of the scripts.
You can run into some hard-to-debug issues when including scripts from different sources if namespacing isn’t used. Variable name collisions can be tricky and time consuming (not to mention boooooring) to hunt down. Below is a snippet from an article by Douglas Crockford.
Global variables are a source of unreliability and insecurity. Fortunately, JavaScript includes tools for allowing us to drastically minimize our use of globals, which makes our programs more robust. This becomes increasingly important as our programs get bigger, and as we mix in and mash up program components from multiple authors. Reducing our dependency on globals increases the likelihood that collisions are avoided and that the program components work harmoniously.
1 comment