psulover901 said
This book should be required reading for anyone who is developing, working with, or even managing a web application. The application doesn't even have to use Ajax. Most of the concepts in this book are security practices for non-Ajax applications that have been extended and applied to Ajax; not the other way around. For example, SQL injection attacks can exist whether an application uses Ajax or not, but Ajax provides an attacker other "entry points" to try to attack your application. Each service, method, and parameter is considered an entry point.
The book itself is well written. The style of writing is engaging. The only non-exciting part of the book is the chapter on client side storage (i.e. cookies, Flash data objects, local storage), but this is not the authors' fault. The topic itself is not very exciting and I found myself reading it quickly so I could get to the next chapter. One of the most interesting chapters is the one on JavaScript worms, like the Samy worm. Also interesting are the occasional mentions of studies and discoveries in the security community. For example, the authors describe a proof-of-concept port scanner they wrote using JavaScript alone, which has the capability of scanning IP addresses and detecting the type of web server they run (using the JS Image object). Another interesting example was using the :hover CSS class along with JavaScript to detect sites that a user has visited.
After reading this book, I am finding myself correcting security errors I am only know finding in my projects. Some corrections I've made concern JSON, the GET vs. POST issue, and others. With the corrections made, I feel that my applications are a lot safer. This book helped make that happen.
TIM WILLIAMS said
I have many 100's of books, mostly technical, accumulated over 20 years of working in IT.
In my view this is one of the most important books I have ever read, not because it's long (it's not) or very advanced (it's not) but because it explains very, very clearly:
- why AJAX is such an important technology (so far the most widely accessible technology to deliver on the promise of 'write once, run anywhere', already in its short life far more widely available and useful than any other client/server technology, including Java, has ever become)
- why security such a big issue for AJAX applications (they have all of the risks of fat clients, plus all of the risks of thin clients)
- what can be done practically, and at comparatively little cost and effort, through the application of good security design practices to mitigate the risks
In simple terms, this is a book about the positive 'enabling' side of security, providing valuable insight into how to deliver all the benefits of AJAX without suffering negative consequences.
I can't think of many books I've read that contain this much valuable content and insight in such a concise and clearly written form. Even if I were only to use the insight that this book provides for one small personal project, it would be worth far more than the cover price.
What makes the content all the more valuable though, is that the insight provided by this book is not a 'one hit wonder', it's actually a look ahead into the next few years of where the major volume of new IT Security work is likely to come from.
How many books can you think of that actually show you clearly where a vast new line of work is going to come from?
It's safe to say that if your work involves web applications, IT security or both to any extent (whether you're hands on, a sales person, a supplier or a budget holder) then the insights that this book provides will be relevant to you time after time after time.
Go ahead, give yourself a 'step up', buy it, read it, profit from it... and whether you agree or disagree with this view I'd be interested in hearing your own thoughts and comments...
Shlomo Yona said
The book is nicely organized and gives a very clear introduction to concepts of web application security, including listing major vulnerabilities and attack vectors and then after establishing these basics it dives in with examples, details and tips to explain Ajax, its usage, its mis-usage and the security implications. The attack vectors are not only mentioned or explained in theory, they are given an example story as context, and for understanding attackers' motivation, and then carefully detail the technical aspects to form a clear picture of the problem which then prepares the reader to understand and accept the suggested "dos and don'ts".
The book gives good attention to a bigger picture: JavaScript's capabilities and limitations, the impact of the available variety of browsers, development frameworks, social aspects and more. Even QA of JavaScript and Ajax application is mentioned, though, I think that such a topic cannot be sufficiently covered in a single overview chapter (in this book the authors tried to give an overview while presenting a few tools and discussing their advantages and disadvantages), and is well deserved to be covered in detail and with a lot of examples in a separate title.
I especially appreciated the good job that the authors did, in my opinion, to convey, what I think is the most important security related detail about JavaScript and Ajax: Never ever trust anything that is being executed, stored and calculated on the client side!
I found the book to be more than just a source of information, something that will bring me up to speed with the field's jargon. I found it to be inspiring. I cannot wait for a similar book on browser plug-in security. I hope that the authors have something like that cooking already.
The book, as you might understand already, is highly recommended.
A. Sharma said
This is very good book. I've created so many websites using AJAX techonlogy. This book provided me to check how secure the websites are. I am glad that I fullfilled all the details without having the through knowledge of AJAX security. But this book has collected all the security check point at one place.
Francois Piat said
A lot of examples shows how absolutely everything could be attacked and corrupted in the chain of components used for building ajax applications, from css (yes even css) to html, from javascript to http, from browser to server ... Sometimes there's too much lines about evident things and sometimes things seems more proof of concept than real possible attacks. But these guys know what they are talking about. This is an excellent book that every serious ajax developer must have read, specially if they plan to make mashups or let their users bring and share things using their applications.
Comments