Customer Reviews

10 Reviews
5 star:
4 star:
3 star:    (0)
2 star:    (0)
1 star:    (0)
Average Customer Review
Share your thoughts with other customers
Create your own review
Most Helpful First | Newest First

15 of 16 people found the following review helpful
5.0 out of 5 stars 2007 Best Book Bejtlich Read award winner, December 31, 2007
This review is from: Ajax Security (Paperback)
Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors' Black Hat 2007 talk and was thoroughly impressed and disturbed by the security implications they presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer their skills to the written word. Ajax Security gets the job done.

Despite being a traditional network security guy who prefers inspecting traffic to analyzing JavaScript, I had no problem understanding Ajax Security. The authors do a superb job leading the reader through the issues surrounding modern Web applications. They start by introducing a technology, which is critical for someone like me who doesn't deal with Web development issues. Next they describe how it is broken. They continue with defensive recommendations and summarize their findings in the conclusion. This is a perfect technical writing style that is too often lost on other authors.

Ajax Security makes very good use of case studies (both large stories like ch 2 and small ones throughout the text). The book also integrates code, diagrams, and screen shots. The text itself is very clear and the authors keep the reader's attention throughout. Histories for various technologies provide a welcome background, showing readers how we've ended up in our current Web 2.0 predicament.

If you'd like a positive critique of the technical components of the book by someone who is a Web expert, I recommend reading Dre's review of Ajax Security in the TSSCI-Security blog. Otherwise, I give my highest recommendation to Ajax Security, as my Best Book Bejtlich Read in 2007 award.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

10 of 10 people found the following review helpful
5.0 out of 5 stars how to prevent web/ajax attacks, January 20, 2008
This review is from: Ajax Security (Paperback)
Anyone involved in developing/testing AJAX should read "AJAX Security." It covers preventing a hacker from attaching your application. The audience includes developers, QA and penetration testers. While there are code snippets, they are explained well. While managers aren't in the target audience, I think they could benefit from understanding the concepts presented in the book.

The book begins with a brief review of AJAX architecture with an emphasis on security. The writing style is quite engaging including a chapter walking you through an attack from a hacker's point of view. All the major known categories of attacks are included including resource enumeration, parameter manipulation (with SQL and XPATH injection), session hijacking, JSON hijacking, XSS, CSRF, phishing, denial of service, etc.

I particularly liked the analogies to things that happen in the physical world such as resource injection into a roommate's "to do" list and hijacking another customer's paid order in the deli. These made it easy to visualize the problem even for people who don't code often.

The authors were realistic and included the limitations and drawbacks of each tool/framework mentioned. I liked the chapter analyzing two major JavaScript worms including the source code. This really hit home on the importance of certain practices!

All information was up to date as of printing including comments on all four major browsers (IE, Firefox, Opera and Safari.) They even mentioned the HTML 5 specification. The book is not server side language specific, which was nice.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

7 of 7 people found the following review helpful
5.0 out of 5 stars Curiosity Killed the Internet, February 4, 2008
This review is from: Ajax Security (Paperback)
Are you a web developer? Do you believe you can ensure that your client-side code will function as expected? Well, you are wrong. In Ajax Security you will find out why.

Ajax changes the game in that it moves business logic to the client. In doing so it increases the attack surface of the application. The authors get curious with some real world Ajax frameworks such as Prototype, Dojo, and Microsoft Ajax. They demonstrate with these frameworks how developers might be unknowingly building vulnerabilities into their applications. If you're home brewing Ajax, the authors cover important security considerations you'll need to know so that you don't make the same mistakes the industry leaders have made.

I learned a lot about JavaScript from reading this book. I learned even more about how JavaScript can be used maliciously. The authors describe techniques for function clobbering, JSON hijacking, storage attacks, and presentation layer attacks. One of my favorite parts of the book, not to mention one of the scariest, is an explanation of how to hide malicious JavaScript from signature based anti-virus software.

The authors explain why the Same-Origin Policy is broken and how it can be subverted. Also covered are security considerations for offline applications. An in-depth analysis of Ajax worms is covered. If you are curious about how Ajax is changing web security you should read this book. If your are a web developer or a security professional you should read this book, even if you aren't using Ajax. If you don't believe cross-site scripting is a "big deal", I dare you to read this book and maintain the same opinion.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

3 of 3 people found the following review helpful
4.0 out of 5 stars Every ajax developer must read it, February 17, 2008
Francois Piat (Besancon, France) - See all my reviews
Verified Purchase(What's this?)
This review is from: Ajax Security (Paperback)
A lot of examples shows how absolutely everything could be attacked and corrupted in the chain of components used for building ajax applications, from css (yes even css) to html, from javascript to http, from browser to server ... Sometimes there's too much lines about evident things and sometimes things seems more proof of concept than real possible attacks. But these guys know what they are talking about. This is an excellent book that every serious ajax developer must have read, specially if they plan to make mashups or let their users bring and share things using their applications.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

2 of 2 people found the following review helpful
5.0 out of 5 stars Very well written., November 29, 2008
This review is from: Ajax Security (Paperback)
The book is nicely organized and gives a very clear introduction to concepts of web application security, including listing major vulnerabilities and attack vectors and then after establishing these basics it dives in with examples, details and tips to explain Ajax, its usage, its mis-usage and the security implications. The attack vectors are not only mentioned or explained in theory, they are given an example story as context, and for understanding attackers' motivation, and then carefully detail the technical aspects to form a clear picture of the problem which then prepares the reader to understand and accept the suggested "dos and don'ts".

The book gives good attention to a bigger picture: JavaScript's capabilities and limitations, the impact of the available variety of browsers, development frameworks, social aspects and more. Even QA of JavaScript and Ajax application is mentioned, though, I think that such a topic cannot be sufficiently covered in a single overview chapter (in this book the authors tried to give an overview while presenting a few tools and discussing their advantages and disadvantages), and is well deserved to be covered in detail and with a lot of examples in a separate title.

I especially appreciated the good job that the authors did, in my opinion, to convey, what I think is the most important security related detail about JavaScript and Ajax: Never ever trust anything that is being executed, stored and calculated on the client side!

I found the book to be more than just a source of information, something that will bring me up to speed with the field's jargon. I found it to be inspiring. I cannot wait for a similar book on browser plug-in security. I hope that the authors have something like that cooking already.

The book, as you might understand already, is highly recommended.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

4 of 5 people found the following review helpful
5.0 out of 5 stars Ajax Security, March 10, 2008
A. Sharma "ajay" (owings Mills,MD United States) - See all my reviews
This review is from: Ajax Security (Paperback)
This is very good book. I've created so many websites using AJAX techonlogy. This book provided me to check how secure the websites are. I am glad that I fullfilled all the details without having the through knowledge of AJAX security. But this book has collected all the security check point at one place.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

5.0 out of 5 stars Will change your perspecitve on security, March 31, 2010
This review is from: Ajax Security (Paperback)
This book should be required reading for anyone who is developing, working with, or even managing a web application. The application doesn't even have to use Ajax. Most of the concepts in this book are security practices for non-Ajax applications that have been extended and applied to Ajax; not the other way around. For example, SQL injection attacks can exist whether an application uses Ajax or not, but Ajax provides an attacker other "entry points" to try to attack your application. Each service, method, and parameter is considered an entry point.

The book itself is well written. The style of writing is engaging. The only non-exciting part of the book is the chapter on client side storage (i.e. cookies, Flash data objects, local storage), but this is not the authors' fault. The topic itself is not very exciting and I found myself reading it quickly so I could get to the next chapter. One of the most interesting chapters is the one on JavaScript worms, like the Samy worm. Also interesting are the occasional mentions of studies and discoveries in the security community. For example, the authors describe a proof-of-concept port scanner they wrote using JavaScript alone, which has the capability of scanning IP addresses and detecting the type of web server they run (using the JS Image object). Another interesting example was using the :hover CSS class along with JavaScript to detect sites that a user has visited.

After reading this book, I am finding myself correcting security errors I am only know finding in my projects. Some corrections I've made concern JSON, the GET vs. POST issue, and others. With the corrections made, I feel that my applications are a lot safer. This book helped make that happen.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

4.0 out of 5 stars Lot's of scenarios, great information!, August 2, 2013
Verified Purchase(What's this?)
This review is from: Ajax Security (Kindle Edition)
I purchased this book as a self imposed course to help me write better, safer, and more secure web applications. The authors did a fabulous job in putting together scenarios to illustrate how websites are hacked. They also described ways in which the attacks could be prevented and reiterated their points throughout the book. By the time you complete the book, you will definitely know that you should validate every single source of input whether it's through a form, through the URL, or other source before executing any SQL using that input data, else you risk SQL Injection Attacks.

I particularly loved their solution to prevent JSON Hijacking in which you have the backend attach an infinite loop to the JSON response [ for(;;); ]. Though, in searching the web on the topic, several sites recommend a different approach that ensures your JSON response is not an array:

[{"object": "inside an array"}]
Not exploitable:
{"object": "not inside an array"}
Also not exploitable:
{"result": [{"object": "inside an array"}]}

As the book described, some browsers allowed the array object type to be clobbered and replaced with new javascript code. This allowed hacks to get the array data. Most if not all current browsers no longer allow this. On the other hand, the object data type cannot be clobbered (afaik). (Note: I read on the web that modern browsers no longer allow the Array object type to be clobbered).

Note, it's also recommended on many sites to use the standard CSRF prevention methods involving requesting a security token and passing the token back in the next request (described in the book and on the web). This should also help prevent JSON Hijacking.

The book felt somewhat dated due to some of the real life examples and technologies explained. It had a section that was primarily focused on Google Gears, which was not widely adopted and eventually Google ended development on the project back in 2010. Google's announced the end of development of Google Gears to shift focus to provide the same capabilities into the HTML5 web standards. It would be interesting to hear the authors analysis of that.

Despite it's dated feel, I still recommend this book. Much of the information is still relevant and would be beneficial to anyone looking to build websites that are more secure. Hopefully in the future, the authors will create a new revision that will include updated information and validate the common attack prevention techniques found on the web today.

I recommend reading this book as a foundation to learning about building secure web sites, services, and applications. After reading this book, a number of web searches can help bring you up to date on the more modern methods to prevent hacking attacks.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

5.0 out of 5 stars Great book, decidedly a must have for Ajax developers, March 12, 2011
This review is from: Ajax Security (Paperback)
This is a particularly useful book for any Javascript developer, especially one who is using Ajax or is thinking of adopting Ajax into their web designs.

I have been been a web developer for fifteen years, had to rip apart javascript worms and trojans, reconstruct websites that have been compromised, and generally been through much pain and suffering over the years. I take security seriously and having attended talks from the authors. I can specifically state the authors know their field well, describe the problems well, describe the solutions well, and most importantly educate you on the mentality of an attacker.

This book is clearly laid out and explains not only the problem and solutions, but likely situations an adversary would use to take over your web site.

As they point out exceedingly well, your website attack surface increases drastically when you expose more to the outside world. It's also impossible to completely secure a language like Javascript which is designed to be as flexible as possible. This book will prepare you to deal with many of the common and not so common scenarios, keep you from falling into a variety of bad programming traps, and generally help you make your site less attractive to attackers.

The one thing that I would like to see is an update - This book came out before Google Chrome made it's debut, and a look at current HTML5 standards and mobile device access would be a useful update. Hint hint... ;)

Even though this book is now getting older, it remains a very valuable companion. The information covers end to end application security and as such rates five stars.

The caveats are: This book needs a second edition, it is not designed to be a comprehensive resource for securing the server, does not cover third party security frameworks in much depth, it does not deal with security coverage of particular frameworks such as Sencha, Yui, Mootools, etc. and it will not really help script kiddies. But that's not really the point anyway.

It also does not directly deal with project management, server side development and unit testing methodologies, or long term strategies like regression testing.

If you are serious about building websites, you will save yourself a lot of pain figuring out what happened to your site after the fact.
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

0 of 1 people found the following review helpful
5.0 out of 5 stars Clear book that ALL web developers & security specialists should read, August 10, 2009
TIM WILLIAMS (Reading, Berkshire, UK) - See all my reviews
This review is from: Ajax Security (Paperback)
I have many 100's of books, mostly technical, accumulated over 20 years of working in IT.

In my view this is one of the most important books I have ever read, not because it's long (it's not) or very advanced (it's not) but because it explains very, very clearly:

- why AJAX is such an important technology (so far the most widely accessible technology to deliver on the promise of 'write once, run anywhere', already in its short life far more widely available and useful than any other client/server technology, including Java, has ever become)

- why security such a big issue for AJAX applications (they have all of the risks of fat clients, plus all of the risks of thin clients)

- what can be done practically, and at comparatively little cost and effort, through the application of good security design practices to mitigate the risks

In simple terms, this is a book about the positive 'enabling' side of security, providing valuable insight into how to deliver all the benefits of AJAX without suffering negative consequences.

I can't think of many books I've read that contain this much valuable content and insight in such a concise and clearly written form. Even if I were only to use the insight that this book provides for one small personal project, it would be worth far more than the cover price.

What makes the content all the more valuable though, is that the insight provided by this book is not a 'one hit wonder', it's actually a look ahead into the next few years of where the major volume of new IT Security work is likely to come from.

How many books can you think of that actually show you clearly where a vast new line of work is going to come from?

It's safe to say that if your work involves web applications, IT security or both to any extent (whether you're hands on, a sales person, a supplier or a budget holder) then the insights that this book provides will be relevant to you time after time after time.

Go ahead, give yourself a 'step up', buy it, read it, profit from it... and whether you agree or disagree with this view I'd be interested in hearing your own thoughts and comments...
Help other customers find the most helpful reviews 
Was this review helpful to you? Yes No

Most Helpful First | Newest First


Ajax Security
Ajax Security by Billy Hoffman (Paperback - December 16, 2007)
$54.99 $32.23
In stock but may require an extra 1-2 days to process.
Add to cart Add to wishlist
Search these reviews only
Send us feedback How can we make Amazon Customer Reviews better for you? Let us know here.