Ajax World East 2008 - Day 2 Report

I delivered my Maki as an Ajax Mashup Framework talk and the slides are available here. Lots of attendees came by afterwards and told me that they enjoyed the demo. The talk showed how jMaki Webtop provides a lightweight mashup framework that runs in the browser. Here is a pictorial representation of the demo shown:



jMaki Webtop is basically a jMaki widget that can be embedded in a JSP or PHP page. This widget provides the framework for managing widgets and users, ability to persist the Webtop on client-side using Google Gears or server-side using backend database, layouts and other functionality. In JSP case, the widget uses JPA for performing all the CRUD operations with the back-end MySQL database. The resulting WAR file is deployed on GlassFish (can be any other Servlet container as well). If you are interested in a Java version of Webtop then the recommended path is:

• Create services & widgets using NetBeans
• Deploy them on GlassFish
• jMaki webtop for widget deployment & customization

It really is an evolution of jMaki - using all the infrastructure that has built over 2 years. You can experience it yourself at jmaki.com/webtop which is running a PHP version of the app. See the coverage here. The code will be available soon!

I attended few more talks and took notes in some of them to share:

• Can we fix the Web ?
• Accelerate Ajax development with Appcelerator
• REST & Ajax Reconciled
• Understanding the Top Web 2.0 Attack Vectors
• Building Web 2.0 Applications with Project Zero
• OpenAjax Widgets & Gadgets

See below for notes from some of them.

Can we fix the Web ?

This was an early morning talk (7:30am) and I reached few minutes late. But it was basically talking about JavaScript vulnerabilities such as

• Script injection
• No difference between user & guest scripts
• Scripts exempt from same-origin policy
• No modularity (global access to everything on the page)

And also DOM vulnerability because every node in the tree has access to every other node. This lacks modularity and causes a potential security risk.
Doug recommended 3-step plan to fix the Web:

• Safe JavaScript subset
  • JSLint.com provides a safe subset of JavaScript that removes all features that are unsafe or suspect such as no global vars or functions
  • Google Caja & Cajita provide a similar subet but they use transformation instead of validation
• Minor browser improvements
  • Scripts are exempt from same-origin policy. This allows a dynamic <script> tag to make a GET request from a server. Instead use JSONRequest (part of json.org).
  • ES4 (the upcoming JavaScript standard) is not good enough because it maintains backwards compatibility and adds complexity.
• Major browser improvements
  • Replace JavaScript & DOM in browsers. The approach is to start with JSLint and add safe features as required.
  • The Object Capability System (where objects are given explicit access to be used) needs to be enforced to make it secure.

In Doug's opinion, if the Web is not fixed then JavaFX, Silverlight & AIR (all vastly superior but lacking adoption) will displace the web.

The second talk was on Accelerate Ajax development with Appcelerator by Appcelerator CEO.

The talk started with a "not too long back" introduction of the technology space. Well, it started with 1991 and the timeline (and associated technology advances in that year) kept shuffling 1995, 1989, 2001 .... and so on. Jeff talked about how/why Tim Berners Lee invented WWW and covered a myriad of terms after that including but not limited to - Web 1.0, Netscape, Mosaic, marc Andreeeseen (sp?), Java, java Web Start, Applets, W3C, CGI, J2EE, JCP, C#, JBoss, SOA, JavaFX, Silverlight, AIR and many others. For a 50 minute talk, that was quite a long introduction.

After that introduction, he word "Ajax" was mentioned almost 30 minutes (8:51am to be precise) in the talk. And then the word "Appcelerator" was mentioned at 9:06am. Finally, I realized that I'm in the right talk ;)

Appcelerator like to pitch themselves as RIA + SOA company and allows true decoupling of the rich client from it's services. Their services is very similar to jMaki but they use event handling + Ajax + DHTML to achieve it. They also run on Ruby, PHP, Java and other languages.

All in all, it was a good walk through the memory lane!

The next one was REST & Ajax Reconciled.

The talk explained the basic concepts of REST - Resource, URI, Representation, URL & Methods (GET, PUT, POST & DELETE). It also explained the idempotency and safety of each method type. Overall a good decent introduction.

Then it explained the limitations with current web-based forms:

• The URIs in the action attribute cannot be changed dynamically
• Most browsers recognize only GET/POST methods
• Limited ecodings - for example generating JSON encoding requires extra work.

It provided a REST framework checklist:

• Does it have resource-based approach ?
• Acknowledges existing of representation ?
  • need multiple of them
• Solid engineering & community support ?

The three frameworks discussed in the talk were:

• Apache Cocoon - based on XML pipelines & URL patterns, powerful but steep learning curve
• RESTlet - Like Servlet for REST, good for existing model
• Apache Sling - Based on JCR with server-side scripting support

The talk did not mention anything about Jersey which is turning out to be a great implementation and very well meets all the critieria mentioned above.

The speaker recommended Apache Sling with µjax for all REST + Ajax needs. But I'd strongly encourage you to have a look at Jersey. The JSON representation generated out of Jersey can now be directly consumed by jMaki as described here - a true combination of REST & Ajax :)

And then the last talk where I took notes is Understanding the Top Web 2.0 Attack Vectors. I'll provides notes from the last 5 slides of the talk which essentially captured the essence. These slides talked about fundamental issues with Ajax and described concerns and possible attacks in each issue. I'll need to understand some of these attacks better myself but at least I have a list to begin with :)

Here you go:

• Client-side
  • Concerns
    • Transparency
    • Cross-domain communication
    • Exposed business logic (View Source)
    • Local & Offline data storage
  • Attacks
    • Cross-site scripting, DNS Rebinding
    • Business logic bypass
    • Variable tampering
    • Protocol hijacking
    • Function clobbering
    • JavaScript hijacking
• Protocols
  • Concerns - new protocols on top of HTTP
    • SOAP
    • XML-RPC
    • REST
  • Attacks
    • Traditional
      • Man-in-the-middle
      • Spoofing
    • Recursive Payloads
    • Schema Poisoning
• Information Sources
  • Concerns
    • Integrity
    • Transient
    • Diverse (RSS, Blogs, Email, ...)
  • Attacks
    • Untrusted content
    • Poisoned Cache (HTTP Response Splitting Vulnerability)
    • DNS Issues
• Information Structure
  • Concerns - Variations of data structure
    • RSS
    • Atom
    • JSON
    • Serialized data
  • Attacks
    • Malicious injection
    • Parser implementations
• Server-side Issues
  • Concerns
    • Architecture Weaknesses
    • Multiple languages & implementations
    • Increase & fragmented attack surfaces
    • Unknown request origin
    • Authorization & Authentication in complex environment
  • Attacks
    • Traditional
      • Information disclosure, Logical attributes, Denial-of-service
      • Command Injection
        • LDAP, SQL, XPath etc.

OpenAjax Alliance talk about Gadgets & Widgets was nice. The alliance is working on creating standards for widget metadata, communication across widgets and other similar tasks. The goal is to enable successful adoption of open and interoperable Ajax-based Web technologies.

Dave Ferraiolo (from OpenAjax) particularly expressed thanks to jMaki for deriving the first set of Open Ajax Data Model specs from jMaki data models.

That's it!

Check out some of the pictures:


The complete album is available at:


I had to leave at the end of Day 2 because of unfavorable health condition. But I'm glad at least I could deliver my talks :) Now I need to be back-in-shape before my upcoming trip next Tuesday!