java hosting

Reviewed by
Review text

Your search returned 1 matching documents

Ajax Security
by Billy Hoffman, Bryan Sullivan

Addison-Wesley Professional
1 edition
December 2007
504 pages

Reviewed by Ulf Dittmer, February 2008
  (9 of 10)

With the advent of more sophisticated client-side web apps -- facilitated by AJAX and the JavaScript XmlHttpRequest object -- have come more numerous and more easily discovered security issues. As the authors point out, AJAX combines the vulnerabilities of traditional web apps and web services.

This book is billed as "The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities", and it delivers admirably on that count. It covers in detail the wide range of attack possibilities - from traditional web attacks and JavaScript hijacking over client-side storage and offline vulnerabilities to request origin issues, mashups and even CSS. An analysis of two JavaScript worms and a couple of chapters presenting tools to help test AJAX application and popular AJAX frameworks round out the book. Many illustrations and code examples help convey the subjects, as do details of what to look out for in particular browsers or server software. It's hard to picture a web worker (be it developer, tester, producer or manager) that doesn't take away something (and more likely quite a bit) from this book.

It's written in a style that makes it easily approachable, and complex topics are explained well. Although some of the later material assumes knowledge of the earlier stuff, most chapters can be skipped if the reader isn't interested in a particular topic, and revisited later. I recommend the book to every web professional.

Discuss book in the Saloon More info at

Addison-Wesley Professional
1 edition
December 2007
504 pages

Reviewed by Jeanne Boyarsky, January 2008
  (10 of 10)

Anyone involved in developing/testing AJAX should read "AJAX Security." It covers preventing a hacker from attaching your application. The audience includes developers, QA and penetration testers. While there are code snippets, they are explained well. While managers aren't in the target audience, I think they could benefit from understanding the concepts presented in the book.

The book begins with a brief review of AJAX architecture with an emphasis on security. The writing style is quite engaging including a chapter walking you through an attack from a hacker's point of view. All the major known categories of attacks are included including resource enumeration, parameter manipulation (with SQL and XPATH injection), session hijacking, JSON hijacking, XSS, CSRF, phishing, denial of service, etc.

I particularly liked the analogies to things that happen in the physical world such as resource injection into a roommate's "to do" list and hijacking another customer's paid order in the deli. These made it easy to visualize the problem even for people who don't code often.

The authors were realistic and included the limitations and drawbacks of each tool/framework mentioned. I liked the chapter analyzing two major JavaScript worms including the source code. This really hit home on the importance of certain practices!

All information was up to date as of printing including comments on all four major browsers (IE, Firefox, Opera and Safari.) They even mentioned the HTML 5 specification. The book is not server side language specific, which was nice.

Discuss book in the Saloon More info at

The Bunkhouse administrator is Ankit Garg.