Clean Up Your AJAX Security

How secure is your AJAX? This book can help you avoid the security pitfalls.

The new buzz in Web development is AJAX (Asynchronous JavaScript and XML) -- an abstract collection of Web technologies that enables developers to create richer, more user-friendly sites. AJAX is cool. But it can also be a portal to pernicious security vulnerabilities. The task of identifying and thwarting these security threats is concisely addressed in Jason Schmitt's "Secure ASP.NET AJAX Development."

Written by a Web developer for Web developers (Schmitt is group product manager for SPI Dynamics-a Web application security assessment and testing firm), this book is served up as a Digital Short Cut. A 93-page PDF document from a series that, according to the publisher, "... is tightly focused on a specific technology or technical problem," and "designed specifically for busy technical professionals like you." It delivers on both counts.

More Than Microsoft
As the title suggests, the book is geared toward securing Web 2.0 applications running Microsoft ASP.NET AJAX (formerly code-named "Atlas"; version 1 was released last month). However, many of the concerns are relevant to any developer using an AJAX-enabled approach. Divided into four sections, Schmitt begins with a nice overview of AJAX concepts, script libraries (Yahoo! User Interface Library, the Dojo JavaScript toolkit and the Prototype JavaScript Framework), code generators (Google Web Toolkit) and application frameworks, including a good explanation of the history of Atlas and its evolution into ASP.NET AJAX. His explanations are concise and illustrated where appropriate.

Highlights
  • AJAX implementations and frameworks
  • Microsoft Atlas and AJAX
  • Risks introduced by AJAX
  • Securing ASP.NET AJAX
  • ASP.NET AJAX security testing

    Addison-Wesley
    (www.awprofessional.com)
    ISBN-10: 0-321-49810-0
    ISBN-13: 978-0-321-49810-6
    He then devotes his attention to detailing the security pitfalls of AJAX and how the introduction of AJAX into even a previously secure Web application can result in dire security risks for both the server and client. Tactics such as cross-site scripting, cross-site request forgery, SQL/XML injection and XML bombing are scary. Coupled with the advent of cross-domain requests on "mashup" sites that aggregate content and the ever-growing tide of Service-Oriented Architectures (SOAs) that rely on AJAX, all of these approaches expose security risks that should make any Web developer tremble.

    In the third section, Schmitt offers practical principles for securing your ASP.NET AJAX Web application from the very threats described in the previous section. This is the heart of the book. Each principle is described and further clarified through short examples of C# code. This is clearly targeted at those who develop on the ASP.NET platform, and he offers some nifty ways to leverage the security features of ASP.NET for AJAX. A fair level of programming expertise is assumed and the approach is not so much how-to-do as a what-you-should-do.

    Last, there's a brief but invaluable section on ASP.NET AJAX security testing, replete with testing tools for threat modeling, proxies and code analysis. There's also a chart summarizing each security principle and the protection it provides, plus a handy security check list-resources that should be part of any savvy Web developer's arsenal.

    Schmitt writes with a direct, no-nonsense voice: "No matter how you try to obscure your markup or client-side scripting, it is absolutely vulnerable to reverse engineering and manipulation-without exception." He can also drive home some oft over-looked facts about AJAX. To wit, "... your users have to have JavaScript enabled in their browsers for your AJAX application to work."

    Digital Downside
    There are a few grumbles with the PDF. One of the nice features of the format is embedded links. One click whets your curiosity. No laborious replication of the printed link into the browser's address bar is required. This e-book makes nice use of this feature in the URLs of the notes. However, there are several places in the text where a hyperlink would be welcome. For example, under both "Security Testing Tools" and "Code Analysis Tools" the text offers up several resources, all unlinked. Sure, a quick copy-and-paste of the names into a search engine will get you to the tool, but just as quick is the PDF's caveat: "You may copy 8 [7, 6, 5 ...] selections in this document in the next 30 days. Would you like to continue?" Very annoying, especially if you want to copy some of the code snippets, too.

    This limit on copies is only evident in the PDF purchased from the Addison-Wesley Web site. If you download it from Safari Books Online you can cut-and-paste at will. However, the book has a portrait format, whereas the one from the publisher's site is in much more readable landscape format. At present it is not available from Amazon.com.

    These are minor annoyances. It is the content that matters. So, for the price of a couple of venti lattes, download this book. It's an interesting read and, it offers practical advice on how to make your ASP.NET AJAX Web applications more secure.

    Featured

    • Microsoft Appoints Althoff as New CEO for Commercial Business

      Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

    • Broadcom Revamps VMware Partner Program Again

      Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

    • Closeup of the new Copilot keyboard key

      Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

      Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

    • Windows 365 Cloud Apps Now Available for Public Preview

      Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.