Max Kiesler – Designer

Slicer, or 3D Slicer, is a free, open source software package for visualization and image analysis. 3D Slicer is natively designed to be available on multiple platforms, including Windows, Linux and Mac Os x. The 3D Slicer (or simply Slicer) software was initially developed as a joint effort between the Surgical Planning Lab at Brigham and Women’s Hospital and at the MIT AI Lab. The program has evolved into a national plattform supported by a variety of federal funding sources. This versatile research environment has resulted in a wide array of functionality, supporting a variety of medical imaging projects. Slicer is a “point and click” end-user application. Slicer is used as a vehicle for delivering algorithms to computer scientists, biomedical researchers and clinical investigators. Slicer is distributed under an open source license without a reciprocity requirement and without restrictions on use.

Visit the website

Most interaction designers understand the concept of timelines and other time-based data. Blogs, calendars, and to-do lists are all examples of time-based data. However, if you are trying to fit 400 data points into a 1024 x 726 screen you’ll quickly see how challenging time-base data can be. Currently, many interaction designers are turning to visualizations to overcome many of the issues associated with this form of data representation. Below you’ll find a list of some of the best time-based visualizations on the web.

Also, if you want to see or learn more about data visualizations please visit DesignDemo and VizLIst. I post visualizations on a daily basis in both of these sections.

Please use the comments section of this post to let the community know of any useful resources I’ve left out. Most of the descriptions below are taken from the developers of the example. Thanks, Max.

The Sputnik Legacy
“The Soviet launch of Sputnik in 1957 kicked of the space race. Since then mankind has sent more than 150 missions to explore outer space. The Newsweek captures all 150 world wide space flights in an easy to use timeline format. The visualization is sortable by year, timespan, planet and country. When you roll over a timeline point you get additional information about the flight. Additionaly, if you click on the Inside Sputnik tab you get a visualization of Sputnik 1 and all of its parts. Very fun and easy to use.”

British History Timeline
“Explore all of British history, from the Neolithic to the present day, with this easy-to-use interactive timeline. Browse hundreds of key events and discover how the past has shaped the world we live in today. ‘Take a Journey’ when the timeline has loaded to follow themes such as Slavery, Women’s Rights and Technology.”

Timepiece – Visualize Film Ideas
“Timepiece is an experimental data visualization that help you explore Filmforay’s site content including, all of their film ideas, new members, comments and votes on each film idea. Presently there is five months worth to data explore, however, this will undoubtedly grow. As stated by LInden at Filmforay, “The visualization is done with Adobe Flash and pulls all recent data from the site, updated every 30 minutes. Currently it takes a pretty heavy toll on your CPU and loading does take some time, so older computers might have some trouble running it. And I’ll admit the design wouldn’t scale very well given a larger data set, but for the meager traffic filmforay has received so far it does just fine!” Time is one of the most challenging aspects to represent in data visualizations. Linden has created a very unique view of his site’s content over time.”

circaVie – Create and Share Timelines
“circaVie allows you to easily create multimedia timelines all about your life. Special events, noteworthy achievements, relationships, memorable vacations, interests and hobbies, celebrations, announcements… you name it. If it’s about life, it’s circaVie. By creating a circaVie timeline and adding events to it, you’re automatically able to share your life and interests with your friends, your family and the rest of the world in a brand new way. You can think of circaVie as a souped-up, unique way of blogging, where you can seamlessly share photos, video and text that other users can comment upon. Your timelines are also portable and can be shared anywhere you like since they’re all embeddable into your personal Web site, or online profile. Just create your timeline here and take it with you wherever you like!”

Recreating Movement

“Recreating Movement is a computer program for analysing film sequences and has been developed within a diploma thesis. With the help of various filters and settings Recreating Movement makes it possible to extract single frames of any given film sequence and arranges them behind each other in a three-dimensional space. This creates a tube-like set of frames that “freezes” a particular time span in a film. By using the keyboard the viewer can browse through the sequence of frames, chose any kind of view of the sequence of frames and influence the displayed frames directly via a displayable menu bar.”

Comment Timeline Visualization
“While gawking at some of the really cools toys by Moritz Stefaner , I got particularly interested in his post about visualizing time gaps in data and had a moment of inspiration. Instead of vertically gaping the data, you could “timeline” the data like we used to do in gradeschool.”

Slife
“Slife 1.3 offers a whole new way to keep track of what you do in your computer. Visualize your activities, improve your productivity and manage your time more efficiently. Slife observes everything you do in your computer and plots your activities in a graphical timeline. Its unique approach to activity tracking and time management opens up a world of possibilities.”

Timepedia Chronoscope
“Chronoscope is a visualization platform under development at Timepedia for time series datasets. Chronoscope stems from a desire for responsiveness and interactivity when navigating or authoring datasets. Ultimately we aim to bring something like the experience of Google Maps or Google Earth to time series data.”

Timeline of Trends & Events
“Timeline of Trends & Events (1750 to 2100) from futureswatch. Social change in America follows remarkably consistent patterns of behavior dating back to the time of the War of Independence. A close analysis of those patterns reveals why American society, at the beginning of the 21st century, is so bitterly divided. Those patterns also reveal the direction social and political values are likely to move over the next quarter century.”

SIMILE project
“SIMILE is a joint project conducted by the MIT Libraries and MIT CSAIL. SIMILE seeks to enhance inter-operability among digital assets, schemata/vocabularies/ontologies, metadata, and services. A key challenge is that the collections which must inter-operate are often distributed across individual, community, and institutional stores. We seek to be able to provide end-user services by drawing upon the assets, schemata/vocabularies/ontologies, and metadata held in such stores.”

Are you looking to add the z-axis to your simulations? Well I’ve tried thinking in 3D, but it still escapes me. Box2D is an open source physics engine written primarily for games. As the name suggests, Box2D is a purely 2D engine. However, Box2D has grown beyond it’s humble box simulating roots, and can now handle convex polygons and other shapes coming soon.

Read more

In this article I will try to summarize the basics of Ajax and PHP communication. At the and you can find a full working Ajax – PHP example.

Website: http://www.ajaxf1.com/tutorial/ajax-php.html

I started this blog around the same time AJAX was introduced by Adaptive Path’s Jesse James Garrett. At the time there were no out of the box add-on’s for blogs. Fortunately, now there are a plethora of plugins, source code, and tutorials designed for specific blog software. The following is a list of AJAX components you can add to Wordpress, Expression Engine, and Moveable Type.

Please use the comments section of this post to let the community know of any useful resources I’ve left out. Most of the descriptions below are taken from the developers of the example. Thanks, m4x.

AJAX for Wordpress

Live Spell Checker
“AJAX Live Spell Checker for Wordpress”

imgViewJX Wordpress Plugin
“imageViewJX is a Wordpress plugin which takes all images from a given directory and flips through them on your WordPress site, without reloading the page imgViewJX uses AJAX library ‘xajax’. It is meant as a first experiment in using xajax in Wordpress. Use it if you like it, or learn from it if you want to built something yourself.”

AJAX’d Wordpress
“AJAX’d Wordpress (AWP), formerly know as INAP, is an extremely powerful plugin that harnesses the power of AJAX and Wordpress to improve the user experience, the administration capabilities and the design potential of any Wordpress based blog. AWP’s basic features include inline paginated posts, inline comments, threaded comments, the ability to submit comments with AJAX, pagination of your homepage, live comment preview and much more, but it does not, however, force you to use any feature, and it also allows all aspects of the plugin to be easily customized through a single Administration panel. AWP is built to integrate with other plugins and features an advanced module system–based off of WordPress’ plugin system–that allows it to be modified with the addition of third-party extensions. It also has special features that will ensure compatibility with many other plugins.”

WP Ajax Edit Comments
“WordPress Ajax Edit Comments (for WP 2.1+) allows users and admins alike to edit comments on a post. Users can edit their own comments for a period specified by the admin, and admins can edit all post comments. What better way to show reader appreciation than letting the readers edit their own typos?”

AJAX Comments WPMUified

“This is a rework of an original plugin called AJAX Comments by contributors DjZoNe, Mike Smullin. Probably one of the best ways you could spice up your WordPress Blog with AJAX; readers love it! Must see for yourself. This plugin works well in all major Web browsers, and uses discrete AJAX. That means if JavaScript disabled, it’s using the original comment posting method.”

AJAX Calendar (now WordPress 2 compatible!)
“AJAX Calendar is a plugin that will display an AJAXified WordPress calendar.”

AJAX Page Loader
“AJAX Page Loader will load posts, pages, etc. without reloading entire page. This was my first plugin and is still a little quirky. There is problems working on some themes. I am working a little at a time on this but if anyone wants to contribute, feel free.”

WP-Polls 2.21
“Adds an AJAX poll system to your WordPress blog. You can easily include a poll into your WordPress’s blog post/page. WP-Polls is extremely customizable via templates and css styles and there are tons of options for you to choose to ensure that WP-Polls runs the way you wanted. It now supports multiple selection of answers.”

WP AJAX Edit Comments
“WP Ajax Edit Comments (for WP 2.1+) allows users and admins alike to edit comments on a post. Users can edit their own comments for a period specified by the admin, and admins can edit all post comments. What better way to show reader appreciation than letting the readers edit their own typos?”

Plug ‘n’ Play Google Map
“This plugin creates a google map on a Wordpress static page of your choice. Any post that you attach a latitude and longitude to will appear on the map as a marker, with a pop-up bubble and a link to the post.”

Inline Ajax Page
“Inline Ajax Page (INAP) is an extremely powerful plugin that allows you to harness the power of AJAX to improve your user’s experience. INAP is not only able to load posts, comments and the add comment box inline, but can also submit comments, paginate posts, paginate your homepage, display a live comment preview. Other than a few minor theme edits when you first install the plugin, nothing has to be changed to test the power of INAP. All options can be controlled directly from the Administration Panel which allows you to customize nearly every aspect of INAP.”

AJAX Login

“AJAX Login means that the login process is executed without reloading the entire page. The user is alerted through messageboxes on errors, and the page is only reloaded when login succeeds. The same goes for registration and lost password retrieval! This plugin adds a nice templated box on your Wordpress, either with a template tag or as a sidebar widget. In the default template the box contains functionality for logging in, registering as well as retrieving new passwords. If already logged in a logout link is displayed.”

Better-Than-Live AJAX WordPress Search v2
“Just a little less than a year ago I launched Better-Than-Live AJAX WordPress Search. I felt it was time to get back in the swing of things, so I’m now releasing version 2 of the script.”

AJAX for Expression Engine

AJAX Linktracker
“This module allows you to track clicks on arbitrary links. You can use it to track file-downloads, outgoing links or even your internal navigation links. All you got to do is to add an unique id-attribute to any link you want to be tracked. The module utilizes javascript and a XMLHttpRequest to count the clicks. This has the disadvantage that you will not capture clicks by people who have javascript disabled . But on the other hand I see a lot of benefits. It uses no redirects which makes it pretty unobtrusive, your links look like always and there is no rank denial. It’s easy to apply to virtually any link on-the-fly. And it’s not triggered by crawlers but only by people behind browsers.”

EE Ajax Edit Comments

“Allows One To Edit Comments Via AJAX”

Edit Tab AJAX
“Adds the Ability for Dynamic Searching and Sorting in the Edit Tab”

ExpressionEngine and AJAX
“As the introduction said I’m going to show you how I added the Ajax functionality to the Jambor-ee homepage, or more specifically, how you can replace certain content (in our case the showcase site details) through a user click without the need for a page refresh.”

Expression Engine Ajax Slideshow
“Adding an ajax slideshow to Expression Engine easily and simply. Expression Engine can easily have ajax functions added due to its inate configurability and template system.”

Expression Engine Ajax Photo Gallery
“An ajax photo gallery done in Expression Engine. Expression Engine being easily configured and a simple template system makes adding ajax photo galleries and ajax media display and other ajax functions a simple matter.”

AJAX enabled EE Tags
“The Tag Module allows you and your users to tag weblog entries with keywords or phrases. Using the module, you can build templates that pull entries by tag. You can show tag clouds and more.”

AJAX for Moveable Type

Movable Type AJAX Search
“This article allows you to easily implement in-page search results in any Movable Type page. What exactly does this mean? Your standard Movable Type blog has a nifty search form on every page. One thing I have always wanted is to display the search results IN the page without refreshing to another page. This is quite easy to do using Javascript and a few commands [notably XMLHttpRequest() ] that make up something we call AJAX.”

Ajax Archive Drop Downs
“In this thread, Gary highlighted how to have drop downs of archives that basically redirected to the appropriate page once an archive was chosen. With this tutorial, I’ll take that one step further and use AJAX such that when you select an archive, rather than redirecting to the corresponding archive page, the appropriate posts will just replace those currently shown.”

Movabletype Ajax Photo Gallery
“Using some php and ajax I have a new demo of an ajax photo gallery I created for Movable type. I can see many uses for this integrated into your website or as a stand alone gallery. It’s nice to be able to view the photos without constant page reloads and also free of jumping as the next photo loads.”

AjaxRating
“Ajax Rating is a plugin for Movable Type that enables visitors to rate your entries or your blog.”

Quote
“Quote 2.0 is a plugin for Movable Type 4.0 that easily allows commentators to quote a previous comment. It uses AJAX/JSON to retrieve previous comments and enter their quoted text into comment boxes.”

MTYahooMaps
“MTYahooMaps is a Movable Type Plugin that allows you put Yahoo Maps in Posts.”

Easy AJAX comments in MovableType using Mootools
“The title says it all. Using the AJAX library from Mootools I was able to AJAXify the comment forms in Movable Type. Mootools makes it easy by supplying a Send() method in the Ajax class.”

Ajaxify: EnhancedEntryEditing

“Ajaxify is a series of BigPAPI plugins that adds various javascript and AJAX widgets into Movable Type’s interface. It has, of course, been built for Movable Type 3.2. The first of which is EnhancedEntryEditing.”

Osprey is a software platform for visualizations of complex interaction networks. Osprey builds data-rich graphical representations from Gene-Ontology (GO) annotated interaction data maintained by The GRID.

Visit the website

Graffiti Archaeology is a project devoted to the study of graffiti-covered walls as they change over time. The core of the project is a timelapse collage, made of photos of graffiti taken at the same location by many different photographers over a span of several years. The photos were taken in San Francisco, New York, Los Angeles and other cities, over a timespan from the late 1990’s to the present. Using the grafarc explorer, you can visit some classic graffiti spots, see what they looked like in the past, and explore how they have changed over the years.

Read more

AJAX techniques have helped Web developers create live applications within Web browsers. The AxsJAX framework helps inject accessibility features into these applications so that users of adaptive technologies such as screen readers and self-voicing browsers experience the same level of interactivity that is now taken for granted by users of Web 2.0 applications.

Website: http://code.google.com/p/google-axsjax/

“Graph visualization is a way of representing structural information as diagrams of abstract graphs and networks. Automatic graph drawing has many important applications in software engineering, database and web design, networking, and in visual interfaces for many other domains. Graphviz is open source graph visualization software. It has several main graph layout programs. See the gallery for some sample layouts. It also has web and interactive graphical interfaces, and auxiliary tools, libraries, and language bindings.”

Visit the website

The FutureBoston Competitive Edge Landscape is an experimental tool to explore the factors that make or break a city in today’s competitive global economy. It integrates data on economics performance, innovation, population, and quality of life to help the user see where and what is happening in the Boston region. This tool is a proof-of-concept. It is intended to demonstrate the early stages of what a more advanced tool could do, i.e., better understand the complex dynamics that effect people’s lives and help them make better decisions.

Read more

AJAX’d Wordpress (AWP), formerly know as INAP, is an extremely powerful plugin that harnesses the power of AJAX and Wordpress to improve the user experience, the administration capabilities and the design potential of any Wordpress based blog. AWP’s basic features include inline paginated posts, inline comments, threaded comments, the ability to submit comments with AJAX, pagination of your homepage, live comment preview and much more, but it does not, however, force you to use any feature, and it also allows all aspects of the plugin to be easily customized through a single Administration panel. AWP is built to integrate with other plugins and features an advanced module system–based off of WordPress’ plugin system–that allows it to be modified with the addition of third-party extensions. It also has special features that will ensure compatibility with many other plugins.

Website: http://anthologyoi.com/awp

WordPress Ajax Edit Comments (for WP 2.1+) allows users and admins alike to edit comments on a post. Users can edit their own comments for a period specified by the admin, and admins can edit all post comments. What better way to show reader appreciation than letting the readers edit their own typos?

Website: http://www.raproject.com/wordpress/wp-ajax-edit-comments/

If you’ve seen websites such as, Digg Big Spy, We Feel Fine, or Gapminder. and you’re a web surfer you are probably amazed. If however, you’re a web designer or programmer you may be wondering how to accomplish these dramatic visualizations. Below you’ll find a list of visualization software, toolkits and programming languages to get you started.

Also, if you want to see or learn more about data visualizations please visit DesignDemo and VizLIst . I post visualizations on a daily basis in both of these sections.

Please use the comments section of this post to let the community know of any useful resources I’ve left out. Most of the descriptions below are taken from the developers of the example. Thanks, Max.

Visualization Programming Languages

Processing
Processing is an open source programming language and environment for people who want to program images, animation, and sound. It is used by students, artists, designers, architects, researchers, and hobbyists for learning, prototyping, and production.

Visualization Software

OpenDX
The open source software project based on IBM’s visualization data explorer. If you need visualization for anything from examining simple data sets to analyzing complex, time-dependent data from disparate sources, OpenDX has what you need: features and functions that let you easily gain meaningful insight into your data.

Packet Garden
Packet Garden captures information about how you use the internet and uses this stored information to grow a private world you can later explore. To do this, Packet Garden takes note of all the servers you visit, their geographical location and the kinds of data you access. Uploads make hills and downloads valleys, their location determined by numbers taken from internet address itself. The size of each hill or valley is based on how much data is sent or received. Plants are also grown for each protocol detected by the software; if you visit a website, an ‘HTTP plant’ is grown. If you share some files via eMule, a ‘Peer to Peer plant’ is grown, and so on.

Visualization Toolkits

The Flare Visualization Toolkit
Flare is a collection of ActionScript 3 classes for building a wide variety of interactive visualizations. For example, flare can be used to build basic charts, complex animations, network diagrams, treemaps, and more. Flare is written in the ActionScript 3 programming language and can be used to build visualizations that run on the web in the Adobe Flash Player. Flare applications can be built using the free Adobe Flex SDK or Adobe’s Flex Builder IDE. Flare is based on prefuse, a full-featured visualization toolkit written in Java. Flare is open source software licensed under the terms of the BSD license, and can be freely used for both commercial and non-commercial purposes.

Prefuse Visualization Toolkit
A Java-based toolkit for building interactive information visualization applications.

Enterprise Visualizations

i2
i2 Inc. is the leading worldwide provider of visual investigative analysis software for law enforcement, intelligence, military and Fortune 500 organizations.

Visualization Tools

Graph Gear – Graph Visualization Component
This is a very simple example of the graph gear component. The contents of simple.xml are rendered as an interactive graph through javascript to a flash component.

Many Eyes
Many Eyes is a visualization tool created by the Visual Communication Lab which is part of IBM’s Collaborative User Experience research group. As they say on their website, “Many Eyes is a bet on the power of human visual intelligence to find patterns. Our goal is to “democratize” visualization and to enable a new social kind of data analysis. Jump right to our visualizations now, take a tour, or read on for a leisurely explanation of the project.”

Slife
Slife 1.3 offers a whole new way to keep track of what you do in your computer. Visualize your activities, improve your productivity and manage your time more efficiently. Slife observes everything you do in your computer and plots your activities in a graphical timeline. Its unique approach to activity tracking and time management opens up a world of possibilities.

circaVie allows you to easily create multimedia timelines all about your life. Special events, noteworthy achievements, relationships, memorable vacations, interests and hobbies, celebrations, announcements… you name it. If it’s about life, it’s circaVie. By creating a circaVie timeline and adding events to it, you’re automatically able to share your life and interests with your friends, your family and the rest of the world in a brand new way. You can think of circaVie as a souped-up, unique way of blogging, where you can seamlessly share photos, video and text that other users can comment upon. Your timelines are also portable and can be shared anywhere you like since they’re all embeddable into your personal Web site, or online profile. Just create your timeline here and take it with you wherever you like!

Visit the website

This application allows you to interact with demographic data and visualize it in an easy to use manner. It’s flash based and is a Microsoft Virtual Earth mashup. It allows you to browse U.S. census data by county, population, age, ethnicity, election results, and income. There are many applications for a website like this, as they say on their site, “For any business to be successful, they must take into account both their customers and surrounding areas. Using Visual Fusion Client and Visual Fusion Server, our Demographics Visualizer allows you to pinpoint components of a region to determine where and how your business can be successful. This application allows the individual user to set their search criteria and cater the results for various uses.”

Read more

Walk2Web is a new way to explore web sites from a specified starting point. You type in a starting point-like http://www.blogschmog.net-and you see a page with a screenshot sample of the site and the first two levels of a search network, with sites as nodes. There are no more than six at a time, split between incoming and outgoing links with options to display more in either direction. The network grows as you explore, allowing you to make use of some simple directional tools to navigate the part of the World Wide Web you are manually crawling.

Read more

The Soviet launch of Sputnik in 1957 kicked of the space race. Since then mankind has sent more than 150 missions to explore outer space. The Newsweek captures all 150 world wide space flights in an easy to use timeline format. The visualization is sortable by year, timespan, planet and country. When you roll over a timeline point you get additional information about the flight. Additionaly, if you click on the Inside Sputnik tab you get a visualization of Sputnik 1 and all of its parts. Very fun and easy to use.

Read more

MeVisLab, the successor of the image processing environment ILAB4, represents a platform for image processing research and development with a focus on medical imaging. It allows fast integration and testing of new algorithms and the development of application prototypes that can be used in clinical environments. Beside general image processing algorithms and visualization tools, MeVisLab includes advanced medical imaging modules for segmentation, registration, volumetry, and quantitative morphological and functional analysis. MeVisLab has been developed by the MeVis Research GmbH in Bremen, Germany. Based on MeVisLab, several clinical prototypes have been realized, including software assistants for neuro-imaging, dynamic image analysis, surgery planning, and vessel analysis.

Visit the website

A three hour video Ajax tutorial presented at Web 2.0 Expo Berlin on November 5th 2007.

Website: http://www.slideshare.net/simon/how-to-make-ajax-work-for-you/

Beneath the peppy front ends of many of todays Rich Internet Applications lies a dark flaw that if left unchecked can bring a site down to it’s knees. For the past few years many designers and developers have been adding AJAX and Javascript functionality to there websites. Many of these websites suffer from threats such as, cross site scripting (also known as XSS), cross-site request forgery (XSRF), and several other well know exploits. Maybe your using one of the popular libraries such as, Prototype and Script.aculo.us, or Dojo and think You’re safe. Think again. Unless you’ve implemented security fixes you may be vulnerable to several types of attacks. The same goes for blog plugins, popular open source applications, and of-course the plethora of free Javascript and AJAX add-ons available at free script websites. If you want to protect yourself, please read on.

Below you’ll find a list of the sites I’ve visited to learn more about Javascript and AJAX security. Please let me know through email or a comment if you know of any other great security resources, and I’ll be glad to post them. Most of the descriptions below are taken from the developers of the example. Thanks, Max.

AJAX Security Articles

Ajax Security: Stronger than Dirt?
“Ajax allows the development of more feature rich, asynchronous applications, but in doing so opens up new possibilities for attackers. We look at the relevant security issues and their possible solutions. Ajax (Asynchronous JavaScript and XML) lurched into being in 2005. As a web services model, Ajax is touted as the next big thing by many who work in web development. Like all big things however, Ajax is not without its faults, one of the most pronounced being that not many people actually know what Ajax is, and what potential risks could be introduced into enterprise environments by embracing it. This article examines what Ajax is, the security implications for Ajax applications, and details a range of potential attack vectors against this technology together with possible defences.”

Developers Warned to Secure AJAX Design

“Security firm Fortify Software has stepped forward to warn Web site developers that most frameworks for deploying interactive functionality use JavaScript in a way that could lead to their applications leaking user data. The problem, dubbed JavaScript hijacking by the firm, occurs because popular asynchronous JavaScript and XML (AJAX) toolkits use the scripting language as a transport mechanism without due consideration to security. The basic threat is that malicious Web sites could use cross-site request forgery (XSRF) to steal data from other AJAX-enabled Web applications, Fortify stated in a report released on Monday.”

JSON is Not As Safe As People Think It Is
“I saw some discussion recently about using JSON for secured data, and I’m not sure that everyone understands the risks. I believe that JSON is unsafe for anything but public data unless you are using unpredictable URLs. There are 2 problems. CSRF (Cross Site Request Fogery) allows attackers to bypass cookie based authentication. I blogged about it a while ago. Wikipedia talks about it. CSRF allows you to invoke cookie protected actions on a remote server. It allows Mr. Evil to trick Mrs. Innocent into transferring money from her bank account into his. Far less known perhaps, is the JSON/Array hack that allows a user to steal JSON data on Mozilla and any other platform with a modern JavaScript interpreter.”

Myth-Busting AJAX (In)security
“The hype surrounding AJAX and security risks is hard to miss. Supposedly, this hot new technology responsible for compelling web-based applications like Gmail and Google Maps harbors a dark secret that opens the door to malicious hackers. Not exactly true. Even the most experienced website developers and security experts have a difficult time cutting through the buzzword banter to find the facts. And, the fact is most websites are insecure, but AJAX is not the culprit. Although AJAX does not make websites any less secure, it’s important to understand what does.”

New chapter and verse on Ajax Security
“The increased use of Ajax has brought to the forefront concern about its security. Recognizing that this is an issue, the Open Web Application Security Project (OWASP) is updating its Guide to Building Secure Web Applications to include a separate chapter on Ajax. Andrew van der Stock, who is heading the Guide project and who also wrote the Ajax chapter, spoke with SearchAppSecurity.com recently about Ajax security and what risks developers need to be concerned about.”

The Cross Site Scripting (XSS) FAQ
“Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyable. Dynamic content is achieved through the use of web applications which can deliver different output to a user depending on their settings and needs. Dynamic websites suffer from a threat that static websites don’t, called “Cross Site Scripting” (or XSS dubbed by other security professionals). Currently small informational tidbits about Cross Site Scripting holes exist but none really explain them to an average person or administrator. This FAQ was written to provide a better understanding of this emerging threat, and to give guidance on detection and prevention.”

Top 10 Ajax Security Holes and Driving Factors
“One of the central ingredients of Web 2.0 applications is Ajax encompassed by JavaScripts. This phase of evolution has transformed the Web into a superplatform. Not surprisingly, this transformation has also given rise to a new breed of worms and viruses such as Yamanner, Samy and Spaceflash. Portals like Google, NetFlix, Yahoo and MySpace have witnessed new vulnerabilities in the last few months. These vulnerabilities can be leveraged by attackers to perform Phishing, Cross-site Scripting (XSS) and Cross-Site Request Forgery (XSRF) exploitation.”

AJAX Security Tools

AJAX Secure Service Layer

“We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.”

AJAX: Is Your Application Secure Enough?
“aSSL is a library distributed under MIT License thats implements a technology similar to SSL without HTTPS. aSSL enables the client to negotiate a secret random 128-bit key with the server using the RSA algorithm. Once the connection has been established, the data will be sent and received using AES algorithm. aSSL is composed of some Javascript files and a server side component. Because I have recently changed the negotiation algoritm from RC4 to RSA, only a pure Javascript (ASP) server component is currently available. I will do a porting for the main web languages (PHP, Java, Perl, Python, TKL, etc.) as soon as possible once the library has passed the beta phase.”

How to Protect a JSON or Javascript Service
“There have been lots of explanations recently of the dangers of JSON or JavaScript remoting. This post is about what you can do to protect your scripts.”

DOM Security

DOM Based Cross Site Scripting or XSS of the Third Kind

“We all know what Cross Site Scripting (XSS) is, right? It’s that vulnerability wherein one sends malicious data (typically HTML stuff with Javascript code in it) that is echoed back later by the application in an HTML context of some sort, and the Javascript code gets executed. Well, wrong. There’s a kind of XSS which does not match this description, at least not in some fundamental properties. The XSS attacks described above are either “non-persistent”/”reflected” (i.e. the malicious data is embedded in the page that is returned to the browser immediately following the request) or “persistent”/”stored” (in which case the malicious data is returned at some later time). But there’s also a third kind of XSS attacks – the ones that do not rely on sending the malicious data to the server in the first place! While this seems almost contradictory to the definition or to common sense, there are, in fact, two well described examples for such attacks. This technical note discusses the third kind of XSS, dubbed “DOM Based XSS”. No claim is made to novelty in the attacks themselves, of course, but rather, the innovation in this write-up is about noticing that these belong to a different flavor, and that flavor is interesting and important.”

General Client-Side Component Security

Hacking Web 2.0 Applications with Firefox
“AJAX and interactive web services form the backbone of “web 2.0″ applications. This technological transformation brings about new challenges for security professionals. This article looks at some of the methods, tools and tricks to dissect web 2.0 applications (including Ajax) and discover security holes using Firefox and its plugins.”

Prepare for Attack!–Making Your Web Applications More Secure
“Arm yourself and prepare for battle! This post is intended as a reminder about the possible security attacks your Web application may be vulnerable to. While it is not meant as a comprehensive guide to Web-application security, it can give you some ideas on how to better protect your applications.”

XSS, Cookies, and Session ID Authentication – Three Ingredients for a Successful Hack

“Cross site scripting (XSS) errors are generally considered nothing more than a nuisance — most people do not realize the inherent danger these types of bugs create. In this article Seth Fogie looks at a real life XSS attack and how it was used to bypass the authentication scheme of an online web application, leading to “shell” access to the web server.”

Vulnerability Scanning Web 2.0 Client-Side Components
“Web 2.0 applications are a combination of several technologies such as Asynchronous JavaScript and XML (AJAX), Flash, JavaScript Object Notation (JSON), Simple Object Access Protocol (SOAP), Representational State Transfer (REST). All these technologies, along with cross-domain information access, contribute to the complexity of the application. We are seeing a shift towards empowerment of an end-user’s browser by loading libraries.”

Javascript Security Articles

Community Creators, Secure Your Code!
“Personalization is a great feature–it allows users to make their personal pages come to life by adding colors, pictures, and even sound–but as with any user input, it is a security threat if not properly sanitized. The creation of a secure online community is a balancing act: your users should be able to personalize their pages using pseudo code or actual HTML, while remaining protected from vandals who might inject malicious JavaScript or otherwise cause harm. One piece of the larger security puzzle is cross-site scripting (XSS). In part one of this two-article series, we will look at various XSS techniques you should be aware of, and at common methods of defending your community against them. In part two, we’ll use real-world examples to explore these techniques in greater detail.”

Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

“Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption. Now imagine that this happens to 1 million people across the United States in less than 24 hours. This scenario is no longer one of fiction. ”

Javascript Security Tools

Javascript Security Tutorial
“JavaScript has its own security model, but this is not designed to protect the Web site owner or the data passed between the browser and the server. The security model is designed to protect the user from malicious Web sites, and as a result, it enforces strict limits on what the page author is allowed to do. They may have control over their own page inside the browser, but that is where their abilities end.”

Security for GWT Applications
“It is a sad truth that JavaScript applications are easily left vulnerable to several types of security exploits, if developers are unwary. Because the Google Web Toolkit (GWT) produces JavaScript code, we GWT developers are no less vulnerable to JavaScript attacks than anyone else. However, because the goal of GWT is to allow developers to focus on their users’ needs instead of JavaScript and browser quirks, it’s easy to let our guards down. To make sure that GWT developers have a strong appreciation of the risks, we’ve put together this article..”

Preventing Cross Site Scripting Attacks

“Cross site scripting (XSS) is basically using JavaScript to execute JavaScript from an unwanted domain in a page. Such scripts could expose any data in a page that is accessible by JavaScript including, cookies, form data, or content to a 3rd party. Here is how you can prevent your web pages from being exploited on both the client and the server. This is followed with tips on how to avoid vulnerable sites.”

Javascript Encryption

Cryptography: JavaScript MD5
“Over the web, JS cryptography can only protect against passive eavesdropping, as the JavaScript itself is downloaded over an insecure link. If an attacker can modify network traffic, they can make malicious changes to the JavaScript code. In any case, JS interpreters are not designed for secure programming. They may leave sensitive information lying about in memory. They’re too slow for some algorithms, e.g. BSD-style MD5 passwords, or RSA with full-size keys. Bitwise operations are buggy in several implementations.”

JavaScript Encryption Program
“This page includes an open source JavaScript implementation of the RC4, AES, Serpent, Twofish, Caesar and RSA ciphers. Ciphers can encrypt and decrypt information such that persons who do not know the password (the decryption key) can not read it. The implemented ciphers are strong enough to protect important information such as your passwords and PIN numbers. ”