Bezbednost veb Ajax aplikacija poslovnih informacionih sistema

Abstract

Business applications having web interface is de facto standard nowadays, imposed by various advantages, such as: availability of a centralized business information system integrating all enterprise value-chain activities from any location on the Internet; possibilities for utilization of software-as-a-service model in a cloud, thus eliminating institution's demands for specialized IT stuff involved in installation, maintenance and administration of hardware, software and network infrastructure; web applications represent a common programming framework for mobile applications providing in-time, persistent and complete connection of business procedures in the enterprise with the information system. These attractive advantages of web business information systems may become entrapments for not focused developers and administrators, because Web has not been created with security in mind. Serious consequences could arise if confidential business data would be exposed to unauthorized usage and modification. The attack surface has become even larger since Ajax technology emerged for sending asynchronous client requests to web server from already-loaded webpage, thus achieving comparable interactivity to that of desktop applications. Ajax web application security issues are analyzed in this paper. Various attacks are clasified according to their place in application execution cycle and malware activities being used, and methods are proposed to successfully prevent those security threats.