| OverviewThe Hands-On, Practical Guide to
Preventing Ajax-Related Security Vulnerabilities More and more Web sites are being rewritten
as Ajax applications; even traditional desktop software is rapidly
moving to the Web via Ajax. But, all too often, this transition is
being made with reckless disregard for security. If Ajax
applications aren't designed and coded properly, they can be
susceptible to far more dangerous security vulnerabilities than
conventional Web or desktop software. Ajax developers desperately
need guidance on securing their applications: knowledge
that's been virtually impossible to find, until
now.
Ajax Security systematically debunks today's most
dangerous myths about Ajax security, illustrating key points with
detailed case studies of actual exploited Ajax vulnerabilities,
ranging from MySpace's Samy worm to MacWorld's
conference code validator. Even more important, it delivers
specific, up-to-the-minute recommendations for securing Ajax
applications in each major Web programming language and
environment, including .NET, Java, PHP, and even Ruby on Rails.
You'll learn how to:
· Mitigate unique
risks associated with Ajax, including overly granular Web services,
application control flow tampering, and manipulation of program
logic
· Write new Ajax
code more safely—and identify and fix flaws in existing
code
· Prevent emerging
Ajax-specific attacks, including JavaScript hijacking and
persistent storage theft
· Avoid attacks
based on XSS and SQL Injection—including a dangerous SQL
Injection variant that can extract an entire backend database with
just two requests
· Leverage security
built into Ajax frameworks like Prototype, Dojo, and ASP.NET AJAX
Extensions—and recognize what you still must implement on
your own
· Create more secure
"mashup" applications Ajax Security will be an
indispensable resource for developers coding or maintaining Ajax
applications; architects and development managers planning or
designing new Ajax software, and all software security
professionals, from QA specialists to penetration testers. Editorial ReviewsProduct DescriptionThe Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities More and more Web sites are being rewritten as Ajax applications; even traditional desktop software is rapidly moving to the Web via Ajax. But, all too often, this transition is being made with reckless disregard for security. If Ajax applications aren’t designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. Ajax developers desperately need guidance on securing their applications: knowledge that’s been virtually impossible to find, until now. Ajax Security systematically debunks today’s most dangerous myths about Ajax security, illustrating key points with detailed case studies of actual exploited Ajax vulnerabilities, ranging from MySpace’s Samy worm to MacWorld’s conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing Ajax applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You’ll learn how to: · Mitigate unique risks associated with Ajax, including overly granular Web services, application control flow tampering, and manipulation of program logic · Write new Ajax code more safely—and identify and fix flaws in existing code · Prevent emerging Ajax-specific attacks, including JavaScript hijacking and persistent storage theft · Avoid attacks based on XSS and SQL Injection—including a dangerous SQL Injection variant that can extract an entire backend database with just two requests · Leverage security built into Ajax frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions—and recognize what you still must implement on your own · Create more secure “mashup” applications Ajax Security will be an indispensable resource for developers coding or maintaining Ajax applications; architects and development managers planning or designing new Ajax software, and all software security professionals, from QA specialists to penetration testers. |
Other Readers Also Read | Top Sellers in This Category | Browse Similar Topics | | | Top Level Categories:Sub-Categories: | | | | |
Reader Reviews From Amazon (Ranked by 'Helpfulness') Average Customer Rating: based on 6 reviews. Very well written. , 2008-11-30 Reviewer rating: The book is nicely organized and gives a very clear introduction to concepts of web application security, including listing major vulnerabilities and attack vectors and then after establishing these basics it dives in with examples, details and tips to explain Ajax, its usage, its mis-usage and the security implications. The attack vectors are not only mentioned or explained in theory, they are given an example story as context, and for understanding attackers' motivation, and then carefully detail the technical aspects to form a clear picture of the problem which then prepares the reader to understand and accept the suggested "dos and don'ts".
The book gives good attention to a bigger picture: JavaScript's capabilities and limitations, the impact of the available variety of browsers, development frameworks, social aspects and more. Even QA of JavaScript and Ajax application is mentioned, though, I think that such a topic cannot be sufficiently covered in a single overview chapter (in this book the authors tried to give an overview while presenting a few tools and discussing their advantages and disadvantages), and is well deserved to be covered in detail and with a lot of examples in a separate title.
I especially appreciated the good job that the authors did, in my opinion, to convey, what I think is the most important security related detail about JavaScript and Ajax: Never ever trust anything that is being executed, stored and calculated on the client side!
I found the book to be more than just a source of information, something that will bring me up to speed with the field's jargon. I found it to be inspiring. I cannot wait for a similar book on browser plug-in security. I hope that the authors have something like that cooking already.
The book, as you might understand already, is highly recommended. | Ajax Security, 2008-03-10 Reviewer rating: This is very good book. I've created so many websites using AJAX techonlogy. This book provided me to check how secure the websites are. I am glad that I fullfilled all the details without having the through knowledge of AJAX security. But this book has collected all the security check point at one place. | Every ajax developer must read it, 2008-02-17 Reviewer rating: A lot of examples shows how absolutely everything could be attacked and corrupted in the chain of components used for building ajax applications, from css (yes even css) to html, from javascript to http, from browser to server ... Sometimes there's too much lines about evident things and sometimes things seems more proof of concept than real possible attacks. But these guys know what they are talking about. This is an excellent book that every serious ajax developer must have read, specially if they plan to make mashups or let their users bring and share things using their applications. | Curiosity Killed the Internet, 2008-02-05 Reviewer rating: Are you a web developer? Do you believe you can ensure that your client-side code will function as expected? Well, you are wrong. In Ajax Security you will find out why.
Ajax changes the game in that it moves business logic to the client. In doing so it increases the attack surface of the application. The authors get curious with some real world Ajax frameworks such as Prototype, Dojo, and Microsoft Ajax. They demonstrate with these frameworks how developers might be unknowingly building vulnerabilities into their applications. If you're home brewing Ajax, the authors cover important security considerations you'll need to know so that you don't make the same mistakes the industry leaders have made.
I learned a lot about JavaScript from reading this book. I learned even more about how JavaScript can be used maliciously. The authors describe techniques for function clobbering, JSON hijacking, storage attacks, and presentation layer attacks. One of my favorite parts of the book, not to mention one of the scariest, is an explanation of how to hide malicious JavaScript from signature based anti-virus software.
The authors explain why the Same-Origin Policy is broken and how it can be subverted. Also covered are security considerations for offline applications. An in-depth analysis of Ajax worms is covered. If you are curious about how Ajax is changing web security you should read this book. If your are a web developer or a security professional you should read this book, even if you aren't using Ajax. If you don't believe cross-site scripting is a "big deal", I dare you to read this book and maintain the same opinion.
| how to prevent web/ajax attacks, 2008-01-20 Reviewer rating: Anyone involved in developing/testing AJAX should read "AJAX Security." It covers preventing a hacker from attaching your application. The audience includes developers, QA and penetration testers. While there are code snippets, they are explained well. While managers aren't in the target audience, I think they could benefit from understanding the concepts presented in the book.
The book begins with a brief review of AJAX architecture with an emphasis on security. The writing style is quite engaging including a chapter walking you through an attack from a hacker's point of view. All the major known categories of attacks are included including resource enumeration, parameter manipulation (with SQL and XPATH injection), session hijacking, JSON hijacking, XSS, CSRF, phishing, denial of service, etc.
I particularly liked the analogies to things that happen in the physical world such as resource injection into a roommate's "to do" list and hijacking another customer's paid order in the deli. These made it easy to visualize the problem even for people who don't code often.
The authors were realistic and included the limitations and drawbacks of each tool/framework mentioned. I liked the chapter analyzing two major JavaScript worms including the source code. This really hit home on the importance of certain practices!
All information was up to date as of printing including comments on all four major browsers (IE, Firefox, Opera and Safari.) They even mentioned the HTML 5 specification. The book is not server side language specific, which was nice. |
Some information above was provided using data from Amazon.com. View at Amazon > |
| |
© 2009 Safari Books Online. All rights reserved.
|
