Book Review: AJAX Security

By  on  

In the interest in full disclosure, I was sent this book by Pearson Education in hopes that I would review it. I'm reviewing this book, however, in the interest of my audience.

AJAX Security

Written By
Billy Hoffman, Bryan Sullivan

Published By
Addison Wesley / Pearson Education

Publisher Summary:
More and more Web sites are being rewritten as AJAX applications; even traditional desktop software is rapidly moving to the Web via AJAX. But, all too often, this transition is being made with reckless disregard for security. If AJAX applications aren't designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. AJAX developers desperately need guidance on securing their applications: knowledge that's been virtually impossible to find, until now.

AJAX Security systematically debunks today's most dangerous myths about AJAX security, illustrating key points with detailed case studies of actual exploited AJAX vulnerabilities, ranging from MySpace's Samy worm to MacWorld's conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing AJAX applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You'll learn how to:

  • Mitigate unique risks associated with AJAX, including overly granular Web services, application control flow tampering, and manipulation of program logic
  • Write new AJAX code more safely—and identify and fix flaws in existing code
  • Prevent emerging AJAX-specific attacks, including JavaScript hijacking and persistent storage theft
  • Avoid attacks based on XSS and SQL Injection—including a dangerous SQL Injection variant that can extract an entire backend database with just two requests
  • Leverage security built into AJAX frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions—and recognize what you still must implement on your own
  • Create more secure "mashup" applications

AJAX Security will be an indispensable resource for developers coding or maintaining AJAX applications; architects and development managers planning or designing new AJAX software, and all software security professionals, from QA specialists to penetration testers.

The Review

Though the ideas of AJAX and security aren't exactly oxymorons, they don't go hand in hand either. I've always felt that PHP <-> AJAX scripts have more potential for security problems than most other scripts. AJAX scripts have the tendency to assume too much. AJAX Security aims to show readers how to tighten up your AJAX code, both server side and client side.

The book begins with defining AJAX-related terms: XHR, XML, JavaScript, and DHTML. The first chapter also covers AJAX web application flow. Most experienced developers could safely skip this chapter.

Chapter two presents an example website and case of AJAX hijacking. A very basic example but sets the tone for those that don't have much experience with AJAX.

Chapter three covers basic web attacks including CSRF, phishing, and DoS attacks. Pretty basic but inexperienced developers will find this information helpful.

Chapter four does a masterful job of covering the "AJAX surface area." AJAX hackers have many ways of disrupting the data and intended flow of your AJAX: manipulating form (visible and hidden) values, cookies, headers, querystring parameters, and uploaded files. The best defense against AJAX hacks is knowing thy enemy and AJAX Security makes sure you know what you're up against.

In chapter five, AJAX Security addresses code complexity. String operations, code comments, and JavaScript quirks are recognized. The chapter is really quick and not as important to the book as most others.

Chapter six discusses "black box" applications versus "white box" applications -- both being different views and flows of websites. AJAX tends to blur the lines between white and black and how you protect your gray website is extremely important.

Chapter seven, titled "Hijacking AJAX Applications," discusses "clobbering" AJAX functions. The chapter covers exploiting JavaScript AJAX functions and JSON APIs.

Chapter eight, "Attacking Client-Side Storage," naturally gives on attacking information you've given to the client -- most notably cookies. Since we don't have control over cookies between page requests, we can't completely trust the information stored in them. Unfortunately, cookies can be an necessary evil. The key is to not put too much information in them.

Chapter nine covers the rare offline AJAX application. Offline AJAX isn't nearly as popular as traditional online AJAX, but the offline counterpart is just as prone to attack. Don't leave your offline application open to attack!

Chapter ten, titled "Request Origin Issues," covers "robots, spiders, browsers, and other creepy crawlers." As you know, with Firefox plugins like User Agent Switcher, you can switch the user agent you provide to the server. Not anticipating attacks for "meant-to-be-harmless" user agent sources can leave your application wide open to attack.

Chapter eleven discusses the current popular rage on internet: mashups. With social networking and bookmarking applications providing APIs to anyone that will use their service, everyone and their mother are looking to frankenstein an application together. Programmers who create mashups need to understand the responsibility of keeping data they receive safe.

Chapter twelve, titled "Attacking the Presentation Layer," covers just that. My favorite line from this chapter: "Consider a website that has 1,000 pages--all of which have some common styling information that is stored in style.css." One of the best ways to attack website is to try to gather information that is common to the site as a whole. Accessing stylesheets is as simple as a "view source."

Chapter thirteen discusses JavaScript Worms, a topic not mentioned often among developers as much as CSRF attacks or parameter manipulation. XSS worms have the ability to completely cripple a website.

Chapter fourteen, "Testing AJAX Applications," provides great information on how you should test your web application. Due to the number of ways that AJAX applications can be penetrated, testing your AJAX apps is extremely important. Like any application, fixing errors before deployment is ten times easier than after.

Chapter fifteen examines popular AJAX frameworks for ASP.NET, PHP (Sajax), Java EE, and the popular JavaScript framework Prototype. Unfortunately Prototype is the only JavaScript framework that receives mention. I was hoping that more frameworks like jQuery and MooTools would get play.

Favorite Chapter

My favorite chapter of AJAX Security was definitely Chapter 4, "AJAX Attack Surface." As I said earlier, the best way you can start to combat the enemy (Mr. AJAX Hack) is to know him. AJAX applications have so many point of hacker entry: cookies, querystring parameters, headers, and form inputs leave holes in your AJAX and how you plug them is the measure of security for your website's usage of AJAX. Know thine enemy!

The Verdict

AJAX Security is an important read for those looking to create any level of rich AJAX application. There's a lot of flash and awe that comes with AJAX but it can also leave your website vulnerable. It's important for the user to be in awe of the application, not the developer. Hoffman and Sullivan have authored a great book for developers with little to slightly above moderate experience with AJAX, the anti-flash.

Recent Features

  • By
    Create Namespaced Classes with MooTools

    MooTools has always gotten a bit of grief for not inherently using and standardizing namespaced-based JavaScript classes like the Dojo Toolkit does.  Many developers create their classes as globals which is generally frowned up.  I mostly disagree with that stance, but each to their own.  In any event...

  • By
    CSS Gradients

    With CSS border-radius, I showed you how CSS can bridge the gap between design and development by adding rounded corners to elements.  CSS gradients are another step in that direction.  Now that CSS gradients are supported in Internet Explorer 8+, Firefox, Safari, and Chrome...

Incredible Demos

Discussion

  1. AJAX Security is one of the popular security i have ever seen and they provides all the satisfaction which a customer needs.

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!