• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Ajax Security by Billy Hoffman, Bryan Sullivan

 
Bartender
Posts: 962
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
<pre>Author/s : Billy Hoffman, Bryan Sullivan
Publisher : Addison Wesley
Category : Web design, HTML and JavaScript
Review by : Jeanne Boyarsky
Rating : 10 horseshoes
</pre>
Anyone involved in developing/testing AJAX should read "AJAX Security." It covers preventing a hacker from attaching your application. The audience includes developers, QA and penetration testers. While there are code snippets, they are explained well. While managers aren't in the target audience, I think they could benefit from understanding the concepts presented in the book.

The book begins with a brief review of AJAX architecture with an emphasis on security. The writing style is quite engaging including a chapter walking you through an attack from a hacker's point of view. All the major known categories of attacks are included including resource enumeration, parameter manipulation (with SQL and XPATH injection), session hijacking, JSON hijacking, XSS, CSRF, phishing, denial of service, etc.

I particularly liked the analogies to things that happen in the physical world such as resource injection into a roommate's "to do" list and hijacking another customer's paid order in the deli. These made it easy to visualize the problem even for people who don't code often.

The authors were realistic and included the limitations and drawbacks of each tool/framework mentioned. I liked the chapter analyzing two major JavaScript worms including the source code. This really hit home on the importance of certain practices!

All information was up to date as of printing including comments on all four major browsers (IE, Firefox, Opera and Safari.) They even mentioned the HTML 5 specification. The book is not server side language specific, which was nice.


More info at Amazon.com
More info at Amazon.co.uk
 
Book Review Team
Bartender
Posts: 962
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
<pre>Review by : Ulf Dittmer
Rating : 9 horseshoes
</pre>
With the advent of more sophisticated client-side web apps -- facilitated by AJAX and the JavaScript XmlHttpRequest object -- have come more numerous and more easily discovered security issues. As the authors point out, AJAX combines the vulnerabilities of traditional web apps and web services.

This book is billed as "The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities", and it delivers admirably on that count. It covers in detail the wide range of attack possibilities - from traditional web attacks and JavaScript hijacking over client-side storage and offline vulnerabilities to request origin issues, mashups and even CSS. An analysis of two JavaScript worms and a couple of chapters presenting tools to help test AJAX application and popular AJAX frameworks round out the book. Many illustrations and code examples help convey the subjects, as do details of what to look out for in particular browsers or server software. It's hard to picture a web worker (be it developer, tester, producer or manager) that doesn't take away something (and more likely quite a bit) from this book.

It's written in a style that makes it easily approachable, and complex topics are explained well. Although some of the later material assumes knowledge of the earlier stuff, most chapters can be skipped if the reader isn't interested in a particular topic, and revisited later. I recommend the book to every web professional.


More info at Amazon.com
More info at Amazon.co.uk
 
Ranch Hand
Posts: 56
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nice review, so I can find I need.
Thanks for your work.
 
No, tomorrow we rule the world! With this tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic