The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities

More and more Web sites are being rewritten as Ajax applications; even traditional desktop software is rapidly moving to the Web via Ajax. But, all too often, this transition is being made with reckless disregard for security. If Ajax applications aren’t designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. Ajax developers desperately need guidance on securing their applications: knowledge that’s been virtually impossible to find, until now.

            Ajax Security systematically debunks today’s most dangerous myths about Ajax security, illustrating key points with detailed case studies of actual exploited Ajax vulnerabilities, ranging from MySpace’s Samy worm to MacWorld’s conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing Ajax applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You’ll learn how to:

·        Mitigate unique risks associated with Ajax, including overly granular Web services, application control flow tampering, and manipulation of program logic

·        Write new Ajax code more safely—and identify and fix flaws in existing code

·        Prevent emerging Ajax-specific attacks, including JavaScript hijacking and persistent storage theft

·        Avoid attacks based on XSS and SQL Injection—including a dangerous SQL Injection variant that can extract an entire backend database with just two requests

·        Leverage security built into Ajax frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions—and recognize what you still must implement on your own

·        Create more secure “mashup” applications

Ajax Security will be an indispensable resource for developers coding or maintaining Ajax applications; architects and development managers planning or designing new Ajax software, and all software security professionals, from QA specialists to penetration testers.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 7 Ratings

Curiosity Killed the Internet - 2008-02-05
Reviewer Rating:
Are you a web developer? Do you believe you can ensure that your client-side code will function as expected? Well, you are wrong. In Ajax Security you will find out why.

Ajax changes the game in that it moves business logic to the client. In doing so it increases the attack surface of the application. The authors get curious with some real world Ajax frameworks such as Prototype, Dojo, and Microsoft Ajax. They demonstrate with these frameworks how developers might be unknowingly building vulnerabilities into their applications. If you're home brewing Ajax, the authors cover important security considerations you'll need to know so that you don't make the same mistakes the industry leaders have made.

I learned a lot about JavaScript from reading this book. I learned even more about how JavaScript can be used maliciously. The authors describe techniques for function clobbering, JSON hijacking, storage attacks, and presentation layer attacks. One of my favorite parts of the book, not to mention one of the scariest, is an explanation of how to hide malicious JavaScript from signature based anti-virus software.

The authors explain why the Same-Origin Policy is broken and how it can be subverted. Also covered are security considerations for offline applications. An in-depth analysis of Ajax worms is covered. If you are curious about how Ajax is changing web security you should read this book. If your are a web developer or a security professional you should read this book, even if you aren't using Ajax. If you don't believe cross-site scripting is a "big deal", I dare you to read this book and maintain the same opinion.

Ajax Security - 2008-03-10
Reviewer Rating:
This is very good book. I've created so many websites using AJAX techonlogy. This book provided me to check how secure the websites are. I am glad that I fullfilled all the details without having the through knowledge of AJAX security. But this book has collected all the security check point at one place.

Every ajax developer must read it - 2008-02-17
Reviewer Rating:
A lot of examples shows how absolutely everything could be attacked and corrupted in the chain of components used for building ajax applications, from css (yes even css) to html, from javascript to http, from browser to server ... Sometimes there's too much lines about evident things and sometimes things seems more proof of concept than real possible attacks. But these guys know what they are talking about. This is an excellent book that every serious ajax developer must have read, specially if they plan to make mashups or let their users bring and share things using their applications.

Very well written. - 2008-11-30
Reviewer Rating:
The book is nicely organized and gives a very clear introduction to concepts of web application security, including listing major vulnerabilities and attack vectors and then after establishing these basics it dives in with examples, details and tips to explain Ajax, its usage, its mis-usage and the security implications. The attack vectors are not only mentioned or explained in theory, they are given an example story as context, and for understanding attackers' motivation, and then carefully detail the technical aspects to form a clear picture of the problem which then prepares the reader to understand and accept the suggested "dos and don'ts".

The book gives good attention to a bigger picture: JavaScript's capabilities and limitations, the impact of the available variety of browsers, development frameworks, social aspects and more. Even QA of JavaScript and Ajax application is mentioned, though, I think that such a topic cannot be sufficiently covered in a single overview chapter (in this book the authors tried to give an overview while presenting a few tools and discussing their advantages and disadvantages), and is well deserved to be covered in detail and with a lot of examples in a separate title.

I especially appreciated the good job that the authors did, in my opinion, to convey, what I think is the most important security related detail about JavaScript and Ajax: Never ever trust anything that is being executed, stored and calculated on the client side!

I found the book to be more than just a source of information, something that will bring me up to speed with the field's jargon. I found it to be inspiring. I cannot wait for a similar book on browser plug-in security. I hope that the authors have something like that cooking already.

The book, as you might understand already, is highly recommended.

Clear book that ALL web developers & security specialists should read - 2009-08-10
Reviewer Rating:
I have many 100's of books, mostly technical, accumulated over 20 years of working in IT.

In my view this is one of the most important books I have ever read, not because it's long (it's not) or very advanced (it's not) but because it explains very, very clearly:

- why AJAX is such an important technology (so far the most widely accessible technology to deliver on the promise of 'write once, run anywhere', already in its short life far more widely available and useful than any other client/server technology, including Java, has ever become)

- why security such a big issue for AJAX applications (they have all of the risks of fat clients, plus all of the risks of thin clients)

- what can be done practically, and at comparatively little cost and effort, through the application of good security design practices to mitigate the risks

In simple terms, this is a book about the positive 'enabling' side of security, providing valuable insight into how to deliver all the benefits of AJAX without suffering negative consequences.

I can't think of many books I've read that contain this much valuable content and insight in such a concise and clearly written form. Even if I were only to use the insight that this book provides for one small personal project, it would be worth far more than the cover price.

What makes the content all the more valuable though, is that the insight provided by this book is not a 'one hit wonder', it's actually a look ahead into the next few years of where the major volume of new IT Security work is likely to come from.

How many books can you think of that actually show you clearly where a vast new line of work is going to come from?

It's safe to say that if your work involves web applications, IT security or both to any extent (whether you're hands on, a sales person, a supplier or a budget holder) then the insights that this book provides will be relevant to you time after time after time.

Go ahead, give yourself a 'step up', buy it, read it, profit from it... and whether you agree or disagree with this view I'd be interested in hearing your own thoughts and comments...

Browse Similar Topics

Top Level Categories:
Markup Languages
Programming

Sub-Categories:
Markup Languages > XML
Programming > JavaScript