AJAX Security by the Book

Secure ASP.NET

AJAX Security bythe Book

AJAXSecurity

By Don Kiely

It s not often that a single book changes the entirelandscape of a field but that s exactly what happened last December when thebook AJAX Security by Billy Hoffmanand Bryan Sullivan was unleashed. It instantly became the definitive guide towhat is wrong with AJAX from asecurity standpoint, and how to go about protecting your rich Internetapplications.

If you ve done any serious reading about security in AJAX,you ve probably encountered the authors before. They were with the securityfirm SPI Dynamics before HP bought the company, and are both now with differentsecurity divisions in HP. They and their associates have done a lot of thegroundbreaking work in AJAXsecurity, and this book has been a project long in the making. The result iscertainly worth it.

The book starts with a brief primer on AJAX,but you won t want to read it without a pretty deep understanding of how AJAXworks. I thought I might be annoyed by this section but read it anyway and I mglad I did. It sets the stage for everything that follows. It is particularlyvaluable to get a broader view of AJAXif you ve only used a single framework, such as Microsoft s Atlas.

This first chapter also introduces the threevulnerabilities that makes AJAXpotentially so insecure: complexity, transparency, and size. The authors usethose as a framework throughout the rest of the book to evaluate AJAXand threats to your site.

Chapter 2, The Heist, is an interesting read about Eve, a20-something hacker who sits in a coffee shop and hacks into an Internet travelsite that uses AJAX. If you ve notdone much Web hacking, this will probably be an eye-opener about how easy it isto figure out stuff. It s all contrived, of course, but it shows how a hackercan use a variety of techniques to find chinks in a site s armor, particularlywith the complexity that AJAX addsto most sites. You ll probably want to play with the tools mentioned in thischapter and throughout the book if you haven t already.

The Testing AJAX Applications chapter covers some toolsand techniques you can use to determine whether your own applications havevulnerabilities. The closing note in this chapter is typical of the kind ofadvice in the book, saying that testing for security defects is very difficult.This is largely because it is impossible to come up with a list of things theapplication shouldn t do. Success in creating such a list would require stayingtwo or three steps ahead of attackers, something that is itself impossible overthe long haul.

The rest of the book is a thorough analysis of threats andmitigations, analyzing various vulnerabilities and how they work in AJAX.If nothing else, the reader quickly gains an appreciation of just how many waysthere are to attack AJAXapplications, and a bit of despair will probably set in about whether it isfutile to even try to lockdown AJAXapps. But keep reading: there is plenty of good advice about how to implementsecurity. You ll finish the book either with a renewed commitment to strengthenyour Web sites or, perhaps, a vow to never touch AJAXagain. But don t give up. Remember that AJAXinsecurities are simply magnified versions of vulnerabilities throughout anyWeb application. AJAX s complexity,transparency, and size amplify the threats, and you have to deal with them inall Web applications.

The only part of the book I wish had more depth waschapter 15, Analysis of AJAX Frameworks. It covers Microsoft s ASP.NET AJAXExtensions, PHP s Sajax, Java EE s Direct Web Remoting, and Prototype, aJavaScript-only framework. I would have loved to have seen more informationabout each framework.

The authors love to use scenarios and metaphors for theconcepts they introduce. That might seem like a bit of fluff, but I found itworks well to make the concepts more understandable. Overall, the book iswell-written and dense with information. You won t be able to read it and be aninstant expert; only hands-on hacking will broaden and deepen the knowledge inthe book.

Bottom line: If you use AJAXin any form, get this book now. You can be sure the hackers are.

AJAX Security by Billy Hoffman and BryanSullivan

Addison-Wesley

ISBN-13: 978-0-321-49193-0

ISBN-10: 0-321-49193-9

http://www.informit.com/aw;http://www.informit.com/store/product.aspx?isbn=0321491939

DonKiely, MVP, MCSD, is a senior technology consultant, building custom applicationsas well as providing business and technology consulting services. Hisdevelopment work involves tools such as SQL Server, Visual Basic, C#, ASP.NET,and Microsoft Office. He writes regularly for several trade journals, andtrains developers in database and .NET technologies. You can reach Don at mailto:[email protected]and read his blog at http://www.sqljunkies.com/weblog/donkiely/.