This book should be required reading for anyone who is developing, working with, or even managing a web application. The application doesn't even have to use Ajax. Most of the concepts in this book are security practices for non-Ajax applications that have been extended and applied to Ajax; not the other way around. For example, SQL injection attacks can exist whether an application uses Ajax or not, but Ajax provides an attacker other "entry points" to try to attack your application. Each service, method, and parameter is considered an entry point.



The book itself is well written. The style of writing is engaging. The only non-exciting part of the book is the chapter on client side storage (i.e. cookies, Flash data objects, local storage), but this is not the authors' fault. The topic itself is not very exciting and I found myself reading it quickly so I could get to the next chapter. One of the most interesting chapters is the one on JavaScript worms, like the Samy worm. Also interesting are the occasional mentions of studies and discoveries in the security community. For example, the authors describe a proof-of-concept port scanner they wrote using JavaScript alone, which has the capability of scanning IP addresses and detecting the type of web server they run (using the JS Image object). Another interesting example was using the :hover CSS class along with JavaScript to detect sites that a user has visited.



After reading this book, I am finding myself correcting security errors I am only know finding in my projects. Some corrections I've made concern JSON, the GET vs. POST issue, and others. With the corrections made, I feel that my applications are a lot safer. This book helped make that happen.

Скачать книгу бесплатно (pdf, 12.45 Mb)

---

Читать «Ajax Security»