AJAX Security by the Book
By Don Kiely
It s not often that a single book changes the entire landscape of a field but that s exactly what happened last December when the book AJAX Security by Billy Hoffman and Bryan Sullivan was unleashed. It instantly became the definitive guide to what is wrong with AJAX from a security standpoint, and how to go about protecting your rich Internet applications.
If you ve done any serious reading about security in AJAX, you ve probably encountered the authors before. They were with the security firm SPI Dynamics before HP bought the company, and are both now with different security divisions in HP. They and their associates have done a lot of the groundbreaking work in AJAX security, and this book has been a project long in the making. The result is certainly worth it.
The book starts with a brief primer on AJAX, but you won t want to read it without a pretty deep understanding of how AJAX works. I thought I might be annoyed by this section but read it anyway and I m glad I did. It sets the stage for everything that follows. It is particularly valuable to get a broader view of AJAX if you ve only used a single framework, such as Microsoft s Atlas.
This first chapter also introduces the three vulnerabilities that makes AJAX potentially so insecure: complexity, transparency, and size. The authors use those as a framework throughout the rest of the book to evaluate AJAX and threats to your site.
Chapter 2, The Heist, is an interesting read about Eve, a 20-something hacker who sits in a coffee shop and hacks into an Internet travel site that uses AJAX. If you ve not done much Web hacking, this will probably be an eye-opener about how easy it is to figure out stuff. It s all contrived, of course, but it shows how a hacker can use a variety of techniques to find chinks in a site s armor, particularly with the complexity that AJAX adds to most sites. You ll probably want to play with the tools mentioned in this chapter and throughout the book if you haven t already.
The Testing AJAX Applications chapter covers some tools and techniques you can use to determine whether your own applications have vulnerabilities. The closing note in this chapter is typical of the kind of advice in the book, saying that testing for security defects is very difficult. This is largely because it is impossible to come up with a list of things the application shouldn t do. Success in creating such a list would require staying two or three steps ahead of attackers, something that is itself impossible over the long haul.
The rest of the book is a thorough analysis of threats and mitigations, analyzing various vulnerabilities and how they work in AJAX. If nothing else, the reader quickly gains an appreciation of just how many ways there are to attack AJAX applications, and a bit of despair will probably set in about whether it is futile to even try to lockdown AJAX apps. But keep reading: there is plenty of good advice about how to implement security. You ll finish the book either with a renewed commitment to strengthen your Web sites or, perhaps, a vow to never touch AJAX again. But don t give up. Remember that AJAX insecurities are simply magnified versions of vulnerabilities throughout any Web application. AJAX s complexity, transparency, and size amplify the threats, and you have to deal with them in all Web applications.
The authors love to use scenarios and metaphors for the concepts they introduce. That might seem like a bit of fluff, but I found it works well to make the concepts more understandable. Overall, the book is well-written and dense with information. You won t be able to read it and be an instant expert; only hands-on hacking will broaden and deepen the knowledge in the book.
Bottom line: If you use AJAX in any form, get this book now. You can be sure the hackers are.
AJAX Security by Billy Hoffman and Bryan Sullivan
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.