Book Review: AJAX Security
In the interest in full disclosure, I was sent this book by Pearson Education in hopes that I would review it. I'm reviewing this book, however, in the interest of my audience.
Billy Hoffman, Bryan Sullivan
Addison Wesley / Pearson Education
More and more Web sites are being rewritten as AJAX applications; even traditional desktop software is rapidly moving to the Web via AJAX. But, all too often, this transition is being made with reckless disregard for security. If AJAX applications aren't designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. AJAX developers desperately need guidance on securing their applications: knowledge that's been virtually impossible to find, until now.
AJAX Security systematically debunks today's most dangerous myths about AJAX security, illustrating key points with detailed case studies of actual exploited AJAX vulnerabilities, ranging from MySpace's Samy worm to MacWorld's conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing AJAX applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You'll learn how to:
- Mitigate unique risks associated with AJAX, including overly granular Web services, application control flow tampering, and manipulation of program logic
- Write new AJAX code more safely—and identify and fix flaws in existing code
- Avoid attacks based on XSS and SQL Injection—including a dangerous SQL Injection variant that can extract an entire backend database with just two requests
- Leverage security built into AJAX frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions—and recognize what you still must implement on your own
- Create more secure "mashup" applications
AJAX Security will be an indispensable resource for developers coding or maintaining AJAX applications; architects and development managers planning or designing new AJAX software, and all software security professionals, from QA specialists to penetration testers.
Though the ideas of AJAX and security aren't exactly oxymorons, they don't go hand in hand either. I've always felt that PHP <-> AJAX scripts have more potential for security problems than most other scripts. AJAX scripts have the tendency to assume too much. AJAX Security aims to show readers how to tighten up your AJAX code, both server side and client side.
Chapter two presents an example website and case of AJAX hijacking. A very basic example but sets the tone for those that don't have much experience with AJAX.
Chapter three covers basic web attacks including CSRF, phishing, and DoS attacks. Pretty basic but inexperienced developers will find this information helpful.
Chapter four does a masterful job of covering the "AJAX surface area." AJAX hackers have many ways of disrupting the data and intended flow of your AJAX: manipulating form (visible and hidden) values, cookies, headers, querystring parameters, and uploaded files. The best defense against AJAX hacks is knowing thy enemy and AJAX Security makes sure you know what you're up against.
Chapter six discusses "black box" applications versus "white box" applications -- both being different views and flows of websites. AJAX tends to blur the lines between white and black and how you protect your gray website is extremely important.
Chapter eight, "Attacking Client-Side Storage," naturally gives on attacking information you've given to the client -- most notably cookies. Since we don't have control over cookies between page requests, we can't completely trust the information stored in them. Unfortunately, cookies can be an necessary evil. The key is to not put too much information in them.
Chapter nine covers the rare offline AJAX application. Offline AJAX isn't nearly as popular as traditional online AJAX, but the offline counterpart is just as prone to attack. Don't leave your offline application open to attack!
Chapter ten, titled "Request Origin Issues," covers "robots, spiders, browsers, and other creepy crawlers." As you know, with Firefox plugins like User Agent Switcher, you can switch the user agent you provide to the server. Not anticipating attacks for "meant-to-be-harmless" user agent sources can leave your application wide open to attack.
Chapter eleven discusses the current popular rage on internet: mashups. With social networking and bookmarking applications providing APIs to anyone that will use their service, everyone and their mother are looking to frankenstein an application together. Programmers who create mashups need to understand the responsibility of keeping data they receive safe.
Chapter twelve, titled "Attacking the Presentation Layer," covers just that. My favorite line from this chapter: "Consider a website that has 1,000 pages--all of which have some common styling information that is stored in style.css." One of the best ways to attack website is to try to gather information that is common to the site as a whole. Accessing stylesheets is as simple as a "view source."
Chapter fourteen, "Testing AJAX Applications," provides great information on how you should test your web application. Due to the number of ways that AJAX applications can be penetrated, testing your AJAX apps is extremely important. Like any application, fixing errors before deployment is ten times easier than after.
My favorite chapter of AJAX Security was definitely Chapter 4, "AJAX Attack Surface." As I said earlier, the best way you can start to combat the enemy (Mr. AJAX Hack) is to know him. AJAX applications have so many point of hacker entry: cookies, querystring parameters, headers, and form inputs leave holes in your AJAX and how you plug them is the measure of security for your website's usage of AJAX. Know thine enemy!
AJAX Security is an important read for those looking to create any level of rich AJAX application. There's a lot of flash and awe that comes with AJAX but it can also leave your website vulnerable. It's important for the user to be in awe of the application, not the developer. Hoffman and Sullivan have authored a great book for developers with little to slightly above moderate experience with AJAX, the anti-flash.