Java IoT Authors: Carmen Gonzalez, Elizabeth White, TJ Randall, Hollis Tibbetts, Pat Romanski

Related Topics: IoT User Interface, Java IoT, Microsoft Cloud

IoT User Interface: Article

AJAX Book Recommendation: "Ajax Security" by Hoffman and Sullivan

If you call yourself a professional web developer, you need this book

Brian Dilllard's "Ajile Ajax" Blog

Reviewers overuse the phrase "required reading," but no other description fits the new book "Ajax Security" (2007, Addison Wesley, 470p). This exhaustive tome from Billy Hoffman and Bryan Sullivan places the specific security concerns of the Ajax programming model in historical perspective. It demonstrates not only new security threats that are unique to Ajax, but established threats that have gained new traction in the Web 2.0 era. It then details both the specific technical solutions and - more importantly - the mindset that are necessary to combat such threats. If you call yourself a professional web developer, you need this book.

Because so many developers have historically overlooked the importance of security, the authors approach their topic for what it is: a remedial subject. They take pains to explain the basic mechanisms by which hackers have exploited insecure web applications over the last decade: cross-site request forgeries, denial of service attacks, cross-site scripting and SQL injection. Then they explain how those mechanisms have changed thanks to the rise of xmlHttpRequest, public APIs, mash-ups and aggregators. If you've ever read a Douglas Crockford rant about the "brokenness" of the web security model and wondered why the guy was such an alarmist, Hoffman and Sullivan are only too happy to provide you with a much-needed wake-up call.

"Ajax Security" is written in a clear, direct style that mixes compelling narrative examples with both high-level technical discussions and granular programming how-tos. The authors even fashion Chapter 2, "The Heist," into a miniature techno-thriller, walking us through a day in the life of a fictitious hacker named Eve who practically cackles like a "Mission: Impossible" villain when she discovers the holes in an Ajax web app. The book's mixture of intro-level concepts, real-world analogies and advanced code examples should be jarring, but isn't, thanks to its conversational tone. "Ajax Security" should therefore prove useful to a broad range of readers:

  • Developers who either have failed to develop a working knowledge of application security, or whose knowledge has become outdated after recent technological advances.
  • Security professionals who haven't kept pace with the rapidly evolving world of Ajax and other client-side technologies.
  • Technology managers who need to understand the risks as well as the rewards of the new technologies their engineers are pitching.
  • Business users who seek a better understanding of the technologies that power the web and how they can be exploited for malicious ends.

In order to serve all of these readers, "Ajax Security" spends a few chapters establishing the basics of traditional web security. It's worth slogging through these chapters even if you think you're a hardened veteran. The authors get to their central thesis pretty quickly, during a discussion of the "attack surface" of Ajax applications:

In a nutshell, the attack surface of an Ajax application is essentially the complete attack surface of a traditional Web application plus the complete attack surface of a Web service.... Where are all the secret attacks that can instantly destroy any Ajax application? For better or worse, there aren't any. If just being sure to defend against a particular attack was all there was to Ajax security, then this would be a pretty short book.... [D]efending an Ajax application is really just like defending both a Web application and a Web service - all at the same time. This is the price you must pay for expanding the functionality of your site.

Once Hoffman and Sullivan have spelled out this mission statement, the book kicks into high gear with chapters on the business-logic transparency of Ajax applications; the security vulnerabilities of JavaScript, JSON and even CSS; the risk of client-side storage and offline frameworks; and the security considerations of mashups and aggregator sites. I could fill an entire month's worth of blog posts with all of the individual tools, techniques and surprising facts in this book. Here's a random sampling:

  • XHR requests that return raw query results as JSON- or XML-formatted data can make classic SQL injection attacks almost effortless.
  • Offline frameworks such as Google Gears can store sensitive data on user machines without providing a GUI for ever purging that data. When a Gears-enabled web app isn't sufficiently locked down, this increases the user's vulnerability considerably.
  • Public APIs can provide a trojan horse in which an attacker bypasses a web service's built-in security features by posing as or piggybacking on a trusted API consumer.
  • JavaScript is hardly the only vector of attack against Ajax applications. CSS files can expose a host of their own unique vulnerabilities. Image paths in global CSS files can reveal the locations of hidden administrative interfaces, while CSS hijacking can enable phishing scams called "look and feel hacks."

Messrs. Sullivan and Hoffman do more than simply list the vulnerabilities of the Ajax programming model. They also conduct hands-on research into the ways existing companies leverage Ajax and offer advice about how to learn from their mistakes. Consider the following three examples:

Review continues on the next page...

More Stories By Brian J. Dillard

Brian J. Dillard joined Pathfinder Development in August 2007 as RIA Evangelist. After 12 years of focusing on the view layer of large consumer web apps, his role at Pathfinder Associates is one of research, development and ongoing commentary. He prototypes new rich UI features; contributes to open-source and client projects; and otherwise helps build Pathfinder's competency in the AJAX world. Along with Pathfinder CTO Dietrich Kappe, Dillard contributes to the 'Agile Ajax' blog (http://blogs.pathf.com/agileajax). He is also the project lead on Really Simple History, a JavaScript library for AJAX bookmark and back-button management.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@ThingsExpo Stories
For basic one-to-one voice or video calling solutions, WebRTC has proven to be a very powerful technology. Although WebRTC’s core functionality is to provide secure, real-time p2p media streaming, leveraging native platform features and server-side components brings up new communication capabilities for web and native mobile applications, allowing for advanced multi-user use cases such as video broadcasting, conferencing, and media recording.
Established in 1998, Calsoft is a leading software product engineering Services Company specializing in Storage, Networking, Virtualization and Cloud business verticals. Calsoft provides End-to-End Product Development, Quality Assurance Sustenance, Solution Engineering and Professional Services expertise to assist customers in achieving their product development and business goals. The company's deep domain knowledge of Storage, Virtualization, Networking and Cloud verticals helps in delivering ...
SYS-CON Events announced today that Cloudbric, a leading website security provider, will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Cloudbric is an elite full service website protection solution specifically designed for IT novices, entrepreneurs, and small and medium businesses. First launched in 2015, Cloudbric is based on the enterprise level Web Application Firewall by Penta Security Sys...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
In the next five to ten years, millions, if not billions of things will become smarter. This smartness goes beyond connected things in our homes like the fridge, thermostat and fancy lighting, and into heavily regulated industries including aerospace, pharmaceutical/medical devices and energy. “Smartness” will embed itself within individual products that are part of our daily lives. We will engage with smart products - learning from them, informing them, and communicating with them. Smart produc...
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...
SYS-CON Events announced today that Coalfire will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Coalfire is the trusted leader in cybersecurity risk management and compliance services. Coalfire integrates advisory and technical assessments and recommendations to the corporate directors, executives, boards, and IT organizations for global brands and organizations in the technology, cloud, health...
SYS-CON Events announced today that Transparent Cloud Computing (T-Cloud) Consortium will exhibit at the 19th International Cloud Expo®, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. The Transparent Cloud Computing Consortium (T-Cloud Consortium) will conduct research activities into changes in the computing model as a result of collaboration between "device" and "cloud" and the creation of new value and markets through organic data proces...
WebRTC defines no default signaling protocol, causing fragmentation between WebRTC silos. SIP and XMPP provide possibilities, but come with considerable complexity and are not designed for use in a web environment. In his session at @ThingsExpo, Matthew Hodgson, technical co-founder of the Matrix.org, discussed how Matrix is a new non-profit Open Source Project that defines both a new HTTP-based standard for VoIP & IM signaling and provides reference implementations.
The Internet of Things (IoT), in all its myriad manifestations, has great potential. Much of that potential comes from the evolving data management and analytic (DMA) technologies and processes that allow us to gain insight from all of the IoT data that can be generated and gathered. This potential may never be met as those data sets are tied to specific industry verticals and single markets, with no clear way to use IoT data and sensor analytics to fulfill the hype being given the IoT today.
In his general session at 18th Cloud Expo, Lee Atchison, Principal Cloud Architect and Advocate at New Relic, discussed cloud as a ‘better data center’ and how it adds new capacity (faster) and improves application availability (redundancy). The cloud is a ‘Dynamic Tool for Dynamic Apps’ and resource allocation is an integral part of your application architecture, so use only the resources you need and allocate /de-allocate resources on the fly.
We're entering the post-smartphone era, where wearable gadgets from watches and fitness bands to glasses and health aids will power the next technological revolution. With mass adoption of wearable devices comes a new data ecosystem that must be protected. Wearables open new pathways that facilitate the tracking, sharing and storing of consumers’ personal health, location and daily activity data. Consumers have some idea of the data these devices capture, but most don’t realize how revealing and...
A completely new computing platform is on the horizon. They’re called Microservers by some, ARM Servers by others, and sometimes even ARM-based Servers. No matter what you call them, Microservers will have a huge impact on the data center and on server computing in general. Although few people are familiar with Microservers today, their impact will be felt very soon. This is a new category of computing platform that is available today and is predicted to have triple-digit growth rates for some ...
SYS-CON Events announced today that MathFreeOn will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. MathFreeOn is Software as a Service (SaaS) used in Engineering and Math education. Write scripts and solve math problems online. MathFreeOn provides online courses for beginners or amateurs who have difficulties in writing scripts. In accordance with various mathematical topics, there are more tha...
In past @ThingsExpo presentations, Joseph di Paolantonio has explored how various Internet of Things (IoT) and data management and analytics (DMA) solution spaces will come together as sensor analytics ecosystems. This year, in his session at @ThingsExpo, Joseph di Paolantonio from DataArchon, will be adding the numerous Transportation areas, from autonomous vehicles to “Uber for containers.” While IoT data in any one area of Transportation will have a huge impact in that area, combining sensor...
SYS-CON Events announced today that SoftNet Solutions will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. SoftNet Solutions specializes in Enterprise Solutions for Hadoop and Big Data. It offers customers the most open, robust, and value-conscious portfolio of solutions, services, and tools for the shortest route to success with Big Data. The unique differentiator is the ability to architect and ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smar...
@ThingsExpo has been named the Top 5 Most Influential Internet of Things Brand by Onalytica in the ‘The Internet of Things Landscape 2015: Top 100 Individuals and Brands.' Onalytica analyzed Twitter conversations around the #IoT debate to uncover the most influential brands and individuals driving the conversation. Onalytica captured data from 56,224 users. The PageRank based methodology they use to extract influencers on a particular topic (tweets mentioning #InternetofThings or #IoT in this ...
SYS-CON Events announced today that Niagara Networks will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Niagara Networks offers the highest port-density systems, and the most complete Next-Generation Network Visibility systems including Network Packet Brokers, Bypass Switches, and Network TAPs.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...