15
2
Web ApplIcAtIon AttAck SurfAce
e attack surface is the composite of all avenues of attack against your application.
Until recently, this has usually been looked at only in terms of validating user input.
Now the attack surface includes safeguarding data that is output to your client’s dis-
play. Creating mashups adds the complexity of streaming data to and from other data
providers. is opens up additional possibilities of what is attackable and often loses
sight of where that attack might come from. AJAX requests—POST or GET, return
data types, JSON or XML, remote connections, HTTP or HTTPS, account man-
agement actions, authentication or authorization—create a large mix of situations.
Each of these actions needs to be defended properly via ...