We are a user experience design and software development firm
Hire us to design your site, build your application, serve billions of users and solve real problems.
Book recommendation: Ajax Security by Hoffman and Sullivan
Reviewers overuse the phrase "required reading," but no other description fits the new book "Ajax Security" (2007, Addison Wesley, 470p). This exhaustive tome from Billy Hoffman and Bryan Sullivan places the specific security concerns of the Ajax programming model in historical perspective. It demonstrates not only new security threats that are unique to Ajax, but established threats that have gained new traction in the Web 2.0 era. It then details both the specific technical solutions and - more importantly - the mindset that are necessary to combat such threats.
Because so many developers have historically overlooked the importance of security, the authors approach their topic for what it is: a remedial subject. They take pains to explain the basic mechanisms by which hackers have exploited insecure web applications over the last decade: cross-site request forgeries, denial of service attacks, cross-site scripting and SQL injection. Then they explain how those mechanisms have changed thanks to the rise of xmlHttpRequest, public APIs, mash-ups and aggregators. If you've ever read a Douglas Crockford rant about the "brokenness" of the web security model and wondered why the guy was such an alarmist, Hoffman and Sullivan are only too happy to provide you with a much-needed wake-up call.
"Ajax Security" is written in a clear, direct style that mixes compelling narrative examples with both high-level technical discussions and granular programming how-tos. The authors even fashion Chapter 2, "The Heist," into a miniature techno-thriller, walking us through a day in the life of a fictitious hacker named Eve who practically cackles like a "Mission: Impossible" villain when she discovers the holes in an Ajax webapp. The book's mixture of intro-level concepts, real-world analogies and advanced code examples should be jarring, but isn't, thanks to its conversational tone. "Ajax Security" should therefore prove useful to a broad range of readers:
- Developers who either have failed to develop a working knowledge of application security, or whose knowledge has become outdated after recent technological advances.
- Security professionals who haven't kept pace with the rapidly evolving world of Ajax and other client-side technologies.
- Technology managers who need to understand the risks as well as the rewards of the new technologies their engineers are pitching.
- Business users who seek a better understanding of the technologies that power the web and how they can be exploited for malicious ends.
In order to serve all of these readers, "Ajax Security" spends a few chapters establishing the basics of traditional web security. It's worth slogging through these chapters even if you think you're a hardened veteran. The authors get to their central thesis pretty quickly, during a discussion of the "attack surface" of Ajax applications:
In a nutshell, the attack surface of an Ajax application is essentially the complete attack surface of a traditional Web application plus the complete attack surface of a Web service.... Where are all the secret attacks that can instantly destroy any Ajax application? For better or worse, there aren't any. If just being sure to defend against a particular attack was all there was to Ajax security, then this would be a pretty short book.... [D]efending an Ajax application is really just like defending both a Web application and a Web service - all at the same time. This is the price you must pay for expanding the functionality of your site.
Once Hoffman and Sullivan have spelled out this mission statement, the book kicks into high gear with chapters on the business-logic transparency of Ajax applications; the security vulnerabilities of JavaScript, JSON and even CSS; the risk of client-side storage and offline frameworks; and the security considerations of mashups and aggregator sites. I could fill an entire month's worth of posts with all of the individual tools, techniques and surprising facts in this book. Here's a random sampling:
- XHR requests that return raw query results as JSON- or XML-formatted data can make classic SQL injection attacks almost effortless.
- Offline frameworks such as Google Gears can store sensitive data on user machines without providing a GUI for ever purging that data. When a Gears-enabled webapp isn't sufficiently locked down, this increases the user's vulnerability considerably.
- Public APIs can provide a trojan horse in which an attacker bypasses a web service's built-in security features by posing as or piggybacking on a trusted API consumer.
- JavaScript is hardly the only vector of attack against Ajax applications. CSS files can expose a host of their own unique vulnerabilities. Image paths in global CSS files can reveal the locations of hidden administrative interfaces, while CSS hijacking can enable phishing scams called "look and feel hacks."
As my effusive praise should have made clear by now, I can't recommend "Ajax Security" highly enough. It's even available from Safari Books Online.
Topics: Ajax Development, Security
Comments: 3 so far
Leave a comment
Who is Pathfinder?
Categories
Topics
.NET
2d physics
3d
3D GPS
3D physics
37signals
Accessibility
actionscript
activerecord
acts_as_ferret
Add new tag
Adium
ADO.NET Entity Framework
Adobe
Adobe AIR
Advertising
aggregation
agile
Agile Development
AIR
Ajax
Ajax Applications
Ajax Bookmarking
Ajax Components
Ajax Development
Ajax Examples
Ajax Experience
Ajax Frameworks
Ajax history management
Ajax Intervention
Ajax libraries
AJAX Obfuscation
Ajax Performance
Ajax Products
Ajax Tools
Ajax Widgets
Amazon
Amazon CDN
Amazon Web Services
amf
Analysis
Android
Announcement
Announcements
antennae
Apache
Apollo
apple
Application Architecture
Application Development
architecture
AS3
ask a UI guy
ASP.NET
Asynchronous Processing
authorization
awards
Azure
Back Button
bandwidth
bandwidth profiling
Benchmarking
Best Practices
BitmapData.draw
BJAX
Blaze Advisor
blog
blogging
book review
Books
Browsers
Business
Business Reasons for Ajax
Business Rules
C#
caching
Canvas
capistrano
Case Studies
Charles
chess
Chesspresso
Chicago
Cloud Computing
CloudFront
CMS
COBOL
Cocoa
code
code art
Code Generation
code generator
Color
COMET
Conference
Confluence
Consistency
Content Management
continuous integration
CRM
CruiseControl
CSS
Custom Flex Component
data visualization
Degrafa
deployment
Design
Design Patterns
design thinking
Desktop
Desktop RIA
Developer's Notebook
DHTML
Diagnose
Dojo
Domain Knowledge
Drools
EC2
Echo2
Echo3
Editorial
ERP
Ethnographic Research
events
everyblock
externalinterface
Ext JS
Facebook
Feedback Loop
ferret
FileReference
Firefox
Firefox Extensions
fixture replacement
fixtures
Flash
flash awards
Flash Platform
flash player
flash player 10
Flex
flex code generator
flex css
flex skins
flexunit
Flickr
Flock
Flow
forms
Frameworks
FriendFeed
front end
front end development
fulltext search
Games
Gauge Component
getting things done
Git
Google
Google Analytics
Google Analytics for Flash
Google Analytics for Flex
Google calendar
Google Gadgets
Google Gears
google maps
g phone
Grails
Graphics
Greasemonkey
Groovy
GStreamer
GTD
Gwittir
GWT
h.264
hardware
Healthcare
Hibernate
HTML
Hudson
IDE
Ideation
IE
IE6
IE7
IE8
iGoogle
illustrator cs3
ILOG JRules
importing graphics to flex
Information Architecture
Innovation
Instructional Design
Interaction Design
interaction patterns design
Interview
iPhone
iPod
iTunes
Java
javafx
Javascript
JavaScript frameworks
Javascript Libraries
JBoss Rules
Jess
Jetty
JIT
Jobs
jQuery
JSF
JSON
JSP
JSR-94
JsUnit
laptop
Lazlo
Legacy Systems
lightweight
LinkedIn
LINQ
logging
Logical Model and Conceptual Model
Low Pro
Mac
Malware
Mash Note
Mashups
Meebo
metaprogramming
MetaWidget
Methodology
Microformats
microsite
Microsoft
minimalism
Mobile
mock objects
modeling
mod_rails
Mootools
mouse
mouse scroll
mouse wheel
Mozilla
Music
MVC
MySql
NetNewsWire
networking
news
newspapers
notebook
obj-c
Object-Oriented
Objective-C
Object Relation Mapping (ORM)
ocmock
Office
OOP
opengl
Open Screen
OpenSocial
Open Source
Opera
Oracle
ORM
OS X
osx
pagination
Pair Programming
papervision3d
Patterns
Peer Creation
Performance
Personas
PGN
PHP
Phusion Passenger
physics
physics engines
plugin
plugins
Predictions
preloader
process Web/Tech
Product Definition
productivity
Progressive Enhancement
project management
Project Website
Prototype
Prototyping
PureMVC
PV3D
QA
qooxdoo
Radiant CMS
rails
Really Simple History
refactoring
References
Requirements
Requirements
Alice Toth
Requirements Visualization
resesign
Restlet
RETE
Review
ria
Rich Interactions
ruby
rubyamf
Ruby on Rails
Ruby on Rails testing role
S3
SaaS
Safari
San Francisco
Scalability
Scenarios
Scriptaculous
SDLC
Search
Security
Selenium
Semantic web
SEO
Server Side
Silverlight
skins
SOA
Social Networking
Software Development
Software Processes
Songbird
SpiderMonkey
Sprajax
Spreadsheets
StageScaleMode
Standards
Startups
STI
Story Telling
Struts
Swing
Tamarin
Tank Engine
Task Flows
Test Driven Development
Testing
textmate
The Ajax Experience
throttling
Tilt Component
Tools
TraceMonkey
Training
Trends
Tumblr
Tutorial
Tutorials
Twitter
UI
UIViewController
unit testing
Unit Tests
Usability
Usability Testing
User Experience
user experience design
user interface
User Interface Standards
User Research
UXD
Venture Capital
Video
Vision
Visualization
VLC
Volta
web
Web/Tech
Web 2.0
Web Design
Web Development
web forms
Webkit
Weblogs
Web Services
Web Standards
Widgets
will_paginate
Windows
WinForms
Wireframes
WordPress
workflow
work life balance
xcode
XML
XML Metadata
XUL
Yahoo Map AS3 API
YUI
Zeigarnik
Zeigarnik Effect
ZK
Archives
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
Blogroll
Recent
- Getting Rid of the “handler.call: handler undefined” Error
- 2009 Prediction - The End of Ajax
- How to serve static websites and Passenger Rails projects from the same Mac OS X Apache instance
- We Welcome Our New Merby Overlords
- iPhone SDK: Testing UIApplicationDelegate with OCMock
- iPhone SDK: Cache Policy & Cookie Handling in NSURLRequest
- acts_without_database: Leverage ActiveRecord with Non-Database Backed Objects
- Category and UI changes on Pathfinder blogs
- Receive 10% off Web Form Design: Filling in the Blanks by Luke Wroblewski
- 2008: A Year That Was
Thanks for the detailed review. I was thinking about getting this book but I wanted to wait until I could find a review that went into specifics. I am especially interested in the material on CSS. This looks great.
Comment by Bookwise, Wednesday, January 16, 2008 @ 4:18 pm
Thanks Brian for this in-depth review.
Comment by Thomas, Thursday, January 17, 2008 @ 3:03 am
Using a server-side Ajax framework should help greatly with security for at least two reasons. First, all business logic and practically all UI logic is handled server-side. This is important not just for preveting cracking, but also for keeping the business logic secret. Another reason is that when there is usually no application-specific client-side code, but just a client-side engine of the framework, the engine can be generally strenghtened much stronger.
IT Mill Toolkit (http://www.itmill.com/ ) is an example of such server-side frameworks. It essentially lets you forget Ajax and should handle all Ajax-related issues, including much of the basic security, without having to reconsider them for every application. It is of course impossible to promise that anything is secure, at least before long exposure to attacks, but using a solid framework is a good start.
Comment by Marko Grönroos, Thursday, January 17, 2008 @ 8:48 am