本帖最后由 石头 于 2009-12-21 20:04 编辑
作者:Billy Hoffman, Bryan Sullivan
出版日期:December 16, 2007
出版社:Addison Wesley
页数:504
ISBN:ISBN-10: 0321491939 ISBN-13: 978-0321491930
文件格式:PDF
The Hands-On, Practical Guide to Preventing Ajax-Related Security Vulnerabilities
More and more Web sites are being rewritten asAjax applications; even traditional desktop software is rapidly movingto the Web via Ajax. But, all too often, this transition is being madewith reckless disregard for security. If Ajax applications aren’tdesigned and coded properly, they can be susceptible to far moredangerous security vulnerabilities than conventional Web or desktopsoftware. Ajax developers desperately need guidance on securing theirapplications: knowledge that’s been virtually impossible to find, until now.
Ajax Security systematically debunkstoday’s most dangerous myths about Ajax security, illustrating keypoints with detailed case studies of actual exploited Ajaxvulnerabilities, ranging from MySpace’s Samy worm to MacWorld’sconference code validator. Even more important, it delivers specific,up-to-the-minute recommendations for securing Ajax applications in eachmajor Web programming language and environment, including .NET, Java,PHP, and even Ruby on Rails. You’ll learn how to:
· Mitigate unique risks associatedwith Ajax, including overly granular Web services, application controlflow tampering, and manipulation of program logic
· Write new Ajax code more safely—and identify and fix flaws in existing code
· Prevent emerging Ajax-specific attacks, including JavaScript hijacking and persistent storage theft
· Avoid attacks based on XSS and SQLInjection—including a dangerous SQL Injection variant that can extractan entire backend database with just two requests
· Leverage security built into Ajaxframeworks like Prototype, Dojo, and ASP.NET AJAX Extensions—andrecognize what you still must implement on your own
· Create more secure “mashup” applications
Ajax Security will be anindispensable resource for developers coding or maintaining Ajaxapplications; architects and development managers planning or designingnew Ajax software, and all software security professionals, from QAspecialists to penetration testers.
About the Author
Billy Hoffman isthe lead researcher for HP Security Labs of HP Software. At HP, Billyfocuses on JavaScript source code analysis, automated discovery of Webapplication vulnerabilities, and Web crawling technologies. He hasworked in the security space since 2001 after he wrote an article oncracking software for 2600, “The Hacker Quarterly,” and learned thatpeople would pay him to be curious. Over the years Billy has worked avariety of projects including reverse engineering file formats,micro-controllers, JavaScript malware, and magstripes. He is thecreator of Stripe Snoop, a suite of research tools that captures,modifies, validates, generates, analyzes, and shares data frommagstripes. Billy’s work has been featured in Wired, Make magazine,Slashdot, G4TechTV, and in various other journals and Web sites. Billyis a regular presenter at hacker conferences including Toorcon,Shmoocon, Phreaknic, Summercon, and Outerz0ne and is active in theSouth East hacking scene. Occasionally the suits make him take off theblack t-shirt and he speaks at more mainstream security eventsincluding RSA, Infosec, AJAXWorld, and Black Hat. Billy graduated fromthe Georgia Institute of Technology in 2005 with a BS in ComputerScience with specializations in networking and embedded systems. Helives in Atlanta with his wife and two tubby and very spoiled cats.
Bryan Sullivan isa software development manager for the Application Security Centerdivision of HP Software. He has been a professional software developerand development manager for over 12 years, with the last five yearsfocused on the Internet security software industry. Prior to HP, Bryanwas a security researcher for SPI Dynamics, a leading Web applicationsecurity company acquired by HP in August 2007.While at SPI, he createdthe DevInspect product, which analyzes Web applications for securityvulnerabilities during development. Bryan is a frequent speaker atindustry events, most recently AjaxWorld, Black Hat, and RSA. He wasinvolved in the creation of the Application Vulnerability DescriptionLanguage (AVDL) and has three patents on security assessment andremediation methodologies pending review. He is a graduate of theGeorgia Institute of Technology with a BS in Applied Mathematics.When he’s not trying to break the Internet, Bryan spends as much timeas he can on the golf links. If any Augusta National members arereading this, Bryan would be exceedingly happy to tell you everythinghe knows about Ajax security over a round or two. |