Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Ajax Security 1st Edition

4.8 out of 5 stars 10 customer reviews
ISBN-13: 978-0321491930
ISBN-10: 0321491939
Why is ISBN important?
This bar-code number lets you verify that you're getting exactly the right version or edition of a book. The 13-digit and 10-digit formats both work.
Scan an ISBN with your phone
Use the Amazon App to scan ISBNs and compare prices.
Have one to sell? Sell on Amazon
Buy used On clicking this link, a new layer will be open
$20.00 On clicking this link, a new layer will be open
Buy new On clicking this link, a new layer will be open
$35.48 On clicking this link, a new layer will be open
More Buying Choices
18 New from $6.50 27 Used from $0.01
Free Two-Day Shipping for College Students with Prime Student Free%20Two-Day%20Shipping%20for%20College%20Students%20with%20Amazon%20Student

The Numberlys Best Books of the Year So Far
$35.48 FREE Shipping. In Stock. Ships from and sold by Amazon.com. Gift-wrap available.
click to open popover

Editorial Reviews

From the Back Cover

The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities More and more Web sites are being rewritten as Ajax applications; even traditional desktop software is rapidly moving to the Web via Ajax. But, all too often, this transition is being made with reckless disregard for security. If Ajax applications aren't designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. Ajax developers desperately need guidance on securing their applications: knowledge that's been virtually impossible to find, "until now." "Ajax Security" systematically debunks today's most dangerous myths about Ajax security, illustrating key points with detailed case studies of actual exploited Ajax vulnerabilities, ranging from MySpace's Samy worm to MacWorld's conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing Ajax applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You'll learn how to: - Mitigate unique risks associated with Ajax, including overly granular Web services, application control flow tampering, and manipulation of program logic - Write new Ajax code more safely-and identify and fix flaws in existing code - Prevent emerging Ajax-specific attacks, including JavaScript hijacking and persistent storage theft - Avoid attacks based on XSS and SQL Injection-including a dangerous SQL Injection variant that can extract an entire backend database with just two requests - Leverage security built into Ajax frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions-and recognize what you still must implement on your own - Create more secure "mashup" applications "Ajax Security" will be an indispensable resource for developers coding or maintaining Ajax applications; architects and development managers planning or designing new Ajax software, and all software security professionals, from QA specialists to penetration testers.

About the Author

Billy Hoffman is the lead researcher for HP Security Labs of HP Software. At HP, Billy focuses on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and Web crawling technologies. He has worked in the security space since 2001 after he wrote an article on cracking software for 2600, “The Hacker Quarterly,” and learned that people would pay him to be curious. Over the years Billy has worked a variety of projects including reverse engineering file formats, micro-controllers, JavaScript malware, and magstripes. He is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. Billy’s work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. Billy is a regular presenter at hacker conferences including Toorcon, Shmoocon, Phreaknic, Summercon, and Outerz0ne and is active in the South East hacking scene. Occasionally the suits make him take off the black t-shirt and he speaks at more mainstream security events including RSA, Infosec, AJAXWorld, and Black Hat. Billy graduated from the Georgia Institute of Technology in 2005 with a BS in Computer Science with specializations in networking and embedded systems. He lives in Atlanta with his wife and two tubby and very spoiled cats.


Bryan Sullivan is a software development manager for the Application Security Center division of HP Software. He has been a professional software developer and development manager for over 12 years, with the last five years focused on the Internet security software industry. Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007.While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development. Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and RSA. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review. He is a graduate of the Georgia Institute of Technology

with a BS in Applied Mathematics. When he’s not trying to break the Internet, Bryan spends as much time as he can on the golf links. If any Augusta National members are reading this, Bryan would be exceedingly happy to tell you everything he knows about Ajax security over a round or two.


The latest book club pick from Oprah
"The Underground Railroad" by Colson Whitehead is a magnificent novel chronicling a young slave's adventures as she makes a desperate bid for freedom in the antebellum South. See more

Product Details

  • Paperback: 504 pages
  • Publisher: Addison-Wesley Professional; 1 edition (December 16, 2007)
  • Language: English
  • ISBN-10: 0321491939
  • ISBN-13: 978-0321491930
  • Product Dimensions: 6.9 x 1.2 x 9.1 inches
  • Shipping Weight: 2.2 pounds (View shipping rates and policies)
  • Average Customer Review: 4.8 out of 5 stars  See all reviews (10 customer reviews)
  • Amazon Best Sellers Rank: #2,255,943 in Books (See Top 100 in Books)

Customer Reviews

Top Customer Reviews

Format: Paperback
Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It's really as simple as that.

I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors' Black Hat 2007 talk and was thoroughly impressed and disturbed by the security implications they presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer their skills to the written word. Ajax Security gets the job done.

Despite being a traditional network security guy who prefers inspecting traffic to analyzing JavaScript, I had no problem understanding Ajax Security. The authors do a superb job leading the reader through the issues surrounding modern Web applications. They start by introducing a technology, which is critical for someone like me who doesn't deal with Web development issues. Next they describe how it is broken. They continue with defensive recommendations and summarize their findings in the conclusion. This is a perfect technical writing style that is too often lost on other authors.

Ajax Security makes very good use of case studies (both large stories like ch 2 and small ones throughout the text). The book also integrates code, diagrams, and screen shots. The text itself is very clear and the authors keep the reader's attention throughout. Histories for various technologies provide a welcome background, showing readers how we've ended up in our current Web 2.0 predicament.
Read more ›
Comment 15 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
Anyone involved in developing/testing AJAX should read "AJAX Security." It covers preventing a hacker from attaching your application. The audience includes developers, QA and penetration testers. While there are code snippets, they are explained well. While managers aren't in the target audience, I think they could benefit from understanding the concepts presented in the book.

The book begins with a brief review of AJAX architecture with an emphasis on security. The writing style is quite engaging including a chapter walking you through an attack from a hacker's point of view. All the major known categories of attacks are included including resource enumeration, parameter manipulation (with SQL and XPATH injection), session hijacking, JSON hijacking, XSS, CSRF, phishing, denial of service, etc.

I particularly liked the analogies to things that happen in the physical world such as resource injection into a roommate's "to do" list and hijacking another customer's paid order in the deli. These made it easy to visualize the problem even for people who don't code often.

The authors were realistic and included the limitations and drawbacks of each tool/framework mentioned. I liked the chapter analyzing two major JavaScript worms including the source code. This really hit home on the importance of certain practices!

All information was up to date as of printing including comments on all four major browsers (IE, Firefox, Opera and Safari.) They even mentioned the HTML 5 specification. The book is not server side language specific, which was nice.
Comment 10 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback
Are you a web developer? Do you believe you can ensure that your client-side code will function as expected? Well, you are wrong. In Ajax Security you will find out why.

Ajax changes the game in that it moves business logic to the client. In doing so it increases the attack surface of the application. The authors get curious with some real world Ajax frameworks such as Prototype, Dojo, and Microsoft Ajax. They demonstrate with these frameworks how developers might be unknowingly building vulnerabilities into their applications. If you're home brewing Ajax, the authors cover important security considerations you'll need to know so that you don't make the same mistakes the industry leaders have made.

I learned a lot about JavaScript from reading this book. I learned even more about how JavaScript can be used maliciously. The authors describe techniques for function clobbering, JSON hijacking, storage attacks, and presentation layer attacks. One of my favorite parts of the book, not to mention one of the scariest, is an explanation of how to hide malicious JavaScript from signature based anti-virus software.

The authors explain why the Same-Origin Policy is broken and how it can be subverted. Also covered are security considerations for offline applications. An in-depth analysis of Ajax worms is covered. If you are curious about how Ajax is changing web security you should read this book. If your are a web developer or a security professional you should read this book, even if you aren't using Ajax. If you don't believe cross-site scripting is a "big deal", I dare you to read this book and maintain the same opinion.
Comment 7 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
Format: Paperback Verified Purchase
A lot of examples shows how absolutely everything could be attacked and corrupted in the chain of components used for building ajax applications, from css (yes even css) to html, from javascript to http, from browser to server ... Sometimes there's too much lines about evident things and sometimes things seems more proof of concept than real possible attacks. But these guys know what they are talking about. This is an excellent book that every serious ajax developer must have read, specially if they plan to make mashups or let their users bring and share things using their applications.
Comment 3 people found this helpful. Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse

Most Recent Customer Reviews

Set up an Amazon Giveaway

Ajax Security
Amazon Giveaway allows you to run promotional giveaways in order to create buzz, reward your audience, and attract new followers and customers. Learn more about Amazon Giveaway
This item: Ajax Security
Pages with Related Products. See and discover other items: computer security