ajax url:_书评：AJAX安全

ajax url:

In the interest in full disclosure, I was sent this book by Pearson Education in hopes that I would review it. I'm reviewing this book, however, in the interest of my audience.

为了完全公开，Pearson Education向我发送了这本书，希望我能对其进行复习。 但是，为了读者的利益，我正在审核这本书。

AJAX安全 (AJAX Security)

演示地址

Written By Billy Hoffman, Bryan Sullivan

由比利·霍夫曼，布莱恩·沙利文(Bryan Sullivan) 撰写

Published By Addison Wesley / Pearson Education

发布时间由 Addison博士/培生教育

Publisher Summary: More and more Web sites are being rewritten as AJAX applications; even traditional desktop software is rapidly moving to the Web via AJAX. But, all too often, this transition is being made with reckless disregard for security. If AJAX applications aren't designed and coded properly, they can be susceptible to far more dangerous security vulnerabilities than conventional Web or desktop software. AJAX developers desperately need guidance on securing their applications: knowledge that's been virtually impossible to find, until now.

发布者摘要：越来越多的网站被重写为AJAX应用程序。 甚至传统的桌面软件也正在通过AJAXSwift向Web转移。 但是，这种转换常常是在不顾安全的情况下鲁ck进行的。 如果AJAX应用程序的设计和编码不正确，它们比传统的Web或桌面软件容易受到更危险的安全漏洞的攻击。 AJAX开发人员迫切需要有关保护其应用程序的指南：直到现在，几乎还找不到这些知识。

AJAX Security systematically debunks today's most dangerous myths about AJAX security, illustrating key points with detailed case studies of actual exploited AJAX vulnerabilities, ranging from MySpace's Samy worm to MacWorld's conference code validator. Even more important, it delivers specific, up-to-the-minute recommendations for securing AJAX applications in each major Web programming language and environment, including .NET, Java, PHP, and even Ruby on Rails. You'll learn how to:

AJAX安全性系统地揭露了当今有关AJAX安全性的最危险的神话，通过对实际利用的AJAX漏洞的详细案例研究来阐明关键点，从MySpace的Samy蠕虫到MacWorld的会议代码验证器。 更重要的是，它提供了最新的具体建议，以确保在每种主要的Web编程语言和环境(包括.NET，Java，PHP甚至Ruby on Rails)中保护AJAX应用程序。 您将学习如何：

• Mitigate unique risks associated with AJAX, including overly granular Web services, application control flow tampering, and manipulation of program logic
  缓解与AJAX相关的独特风险，包括过于细粒度的Web服务，应用程序控制流篡改和程序逻辑处理
• Write new AJAX code more safely—and identify and fix flaws in existing code
  更安全地编写新的AJAX代码-识别并修复现有代码中的缺陷
• Prevent emerging AJAX-specific attacks, including JavaScript hijacking and persistent storage theft
  防止新出现的特定于AJAX的攻击，包括JavaScript劫持和永久性存储盗窃
• Avoid attacks based on XSS and SQL Injection—including a dangerous SQL Injection variant that can extract an entire backend database with just two requests
  避免基于XSS和SQL Injection的攻击-包括危险SQL Injection变体，该变体可能仅用两个请求就可以提取整个后端数据库
• Leverage security built into AJAX frameworks like Prototype, Dojo, and ASP.NET AJAX Extensions—and recognize what you still must implement on your own
  利用内置于Prototype，Dojo和ASP.NET AJAX扩展等AJAX框架中的安全性，并认识到仍然需要自己实现的功能
• Create more secure "mashup" applications
  创建更安全的“混搭”应用程序

AJAX Security will be an indispensable resource for developers coding or maintaining AJAX applications; architects and development managers planning or designing new AJAX software, and all software security professionals, from QA specialists to penetration testers.

对于开发人员编码或维护AJAX应用程序而言， AJAX安全性将是必不可少的资源。 计划或设计新AJAX软件的架构师和开发经理，以及所有软件安全专业人员，包括质量检查专家到渗透测试人员。

评价 (The Review)

Though the ideas of AJAX and security aren't exactly oxymorons, they don't go hand in hand either. I've always felt that PHP <-> AJAX scripts have more potential for security problems than most other scripts. AJAX scripts have the tendency to assume too much. AJAX Security aims to show readers how to tighten up your AJAX code, both server side and client side.

尽管AJAX和安全性的想法并不完全矛盾，但它们也不是齐头并进。 我一直觉得，PHP <-> AJAX脚本比其他大多数脚本具有更多的安全隐患。 AJAX脚本倾向于承担太多。 AJAX安全旨在向读者展示如何加强服务器端和客户端的AJAX代码。

The book begins with defining AJAX-related terms: XHR, XML, JavaScript, and DHTML. The first chapter also covers AJAX web application flow. Most experienced developers could safely skip this chapter.

本书首先定义了与AJAX相关的术语：XHR，XML，JavaScript和DHTML。 第一章还介绍了AJAX Web应用程序流程。 最有经验的开发人员可以放心地跳过本章。

Chapter two presents an example website and case of AJAX hijacking. A very basic example but sets the tone for those that don't have much experience with AJAX.

第二章介绍了一个示例网站和AJAX劫持案例。 一个非常基本的示例，但为那些对AJAX经验不足的人定下了基调。

Chapter three covers basic web attacks including CSRF, phishing, and DoS attacks. Pretty basic but inexperienced developers will find this information helpful.

第三章介绍了基本的Web攻击，包括CSRF，网络钓鱼和DoS攻击。 相当基本但经验不足的开发人员会发现此信息很有帮助。

Chapter four does a masterful job of covering the "AJAX surface area." AJAX hackers have many ways of disrupting the data and intended flow of your AJAX: manipulating form (visible and hidden) values, cookies, headers, querystring parameters, and uploaded files. The best defense against AJAX hacks is knowing thy enemy and AJAX Security makes sure you know what you're up against.

第四章非常精通地介绍了“ AJAX表面积”。 AJAX黑客有多种破坏数据和AJAX预期流量的方法：处理表单(可见和隐藏)值，Cookie，标头，查询字符串参数和上载文件。 抵御AJAX骇客的最佳防御方法是了解您的敌人，而AJAX安全性可确保您知道自己要面对的内容。

In chapter five, AJAX Security addresses code complexity. String operations, code comments, and JavaScript quirks are recognized. The chapter is really quick and not as important to the book as most others.

在第五章中， AJAX安全解决了代码复杂性。 可以识别字符串操作，代码注释和JavaScript怪癖。 本章确实很快，对本书而言并不像其他大多数书那么重要。

Chapter six discusses "black box" applications versus "white box" applications -- both being different views and flows of websites. AJAX tends to blur the lines between white and black and how you protect your gray website is extremely important.

第六章讨论“黑盒子”应用程序与“白盒子”应用程序-两者都是网站的不同视图和流程。 AJAX往往会模糊白色和黑色之间的界限，而如何保护灰色网站则极为重要。

Chapter seven, titled "Hijacking AJAX Applications," discusses "clobbering" AJAX functions. The chapter covers exploiting JavaScript AJAX functions and JSON APIs.

第七章的标题为“劫持AJAX应用程序”，讨论了“弄虚作假”的AJAX函数。 本章介绍如何利用JavaScript AJAX函数和JSON API。

Chapter eight, "Attacking Client-Side Storage," naturally gives on attacking information you've given to the client -- most notably cookies. Since we don't have control over cookies between page requests, we can't completely trust the information stored in them. Unfortunately, cookies can be an necessary evil. The key is to not put too much information in them.

第八章“攻击客户端存储”自然给出了攻击您提供给客户端的信息的信息，其中最主要的是cookie。 由于我们无法控制页面请求之间的cookie，因此我们无法完全信任其中存储的信息。 不幸的是，cookie可能是必不可少的。 关键是不要在其中添加太多信息。

Chapter nine covers the rare offline AJAX application. Offline AJAX isn't nearly as popular as traditional online AJAX, but the offline counterpart is just as prone to attack. Don't leave your offline application open to attack!

第九章介绍了罕见的离线AJAX应用程序。 脱机AJAX并不像传统的在线AJAX那样流行，但是脱机AJAX也容易受到攻击。 不要让您的离线应用程序受到攻击！

Chapter ten, titled "Request Origin Issues," covers "robots, spiders, browsers, and other creepy crawlers." As you know, with Firefox plugins like User Agent Switcher, you can switch the user agent you provide to the server. Not anticipating attacks for "meant-to-be-harmless" user agent sources can leave your application wide open to attack.

第十章标题为“请求起源问题”，涵盖“机器人，蜘蛛，浏览器和其他令人毛骨悚然的爬虫”。 如您所知，使用诸如User Agent Switcher之类的Firefox插件，您可以切换提供给服务器的用户代理。 不期望针对“无害的”用户代理源的攻击可能会使您的应用程序容易受到攻击。

Chapter eleven discusses the current popular rage on internet: mashups. With social networking and bookmarking applications providing APIs to anyone that will use their service, everyone and their mother are looking to frankenstein an application together. Programmers who create mashups need to understand the responsibility of keeping data they receive safe.

第十一章讨论了当前流行的互联网流行：混搭。 随着社交网络和书签应用程序向将使用其服务的任何人提供API，每个人和他们的母亲都在寻找共同使用应用程序的方法。 创建混搭程序的程序员需要了解保持收到的数据安全的责任。

Chapter twelve, titled "Attacking the Presentation Layer," covers just that. My favorite line from this chapter: "Consider a website that has 1,000 pages--all of which have some common styling information that is stored in style.css." One of the best ways to attack website is to try to gather information that is common to the site as a whole. Accessing stylesheets is as simple as a "view source."

第十二章的标题是“攻击表示层”。 我在本章中最喜欢的内容是：“考虑一个包含1000页的网站-所有这些页面都有一些常见的样式信息，这些信息存储在style.css中。” 攻击网站的最佳方法之一是尝试收集整个网站共有的信息。 访问样式表就像“查看源代码”一样简单。

Chapter thirteen discusses JavaScript Worms, a topic not mentioned often among developers as much as CSRF attacks or parameter manipulation. XSS worms have the ability to completely cripple a website.

第十三章讨论了JavaScript蠕虫，这是开发人员中很少提及的主题，与CSRF攻击或参数操纵一样少。 XSS蠕虫具有完全破坏网站的能力。

Chapter fourteen, "Testing AJAX Applications," provides great information on how you should test your web application. Due to the number of ways that AJAX applications can be penetrated, testing your AJAX apps is extremely important. Like any application, fixing errors before deployment is ten times easier than after.

第十四章“测试AJAX应用程序”提供了有关如何测试Web应用程序的重要信息。 由于可以渗透AJAX应用程序的方式很多，因此测试AJAX应用程序非常重要。 像任何应用程序一样，在部署之前修复错误比在之后更容易十倍。

Chapter fifteen examines popular AJAX frameworks for ASP.NET, PHP (Sajax), Java EE, and the popular JavaScript framework Prototype. Unfortunately Prototype is the only JavaScript framework that receives mention. I was hoping that more frameworks like jQuery and MooTools would get play.

第十五章研究了ASP.NET，PHP(Sajax)，Java EE和流行JavaScript框架Prototype的流行AJAX框架。 不幸的是，Prototype是唯一获得提及JavaScript框架。 我希望像jQuery和MooTools这样的更多框架能够发挥作用。

最喜欢的章节 (Favorite Chapter)

My favorite chapter of AJAX Security was definitely Chapter 4, "AJAX Attack Surface." As I said earlier, the best way you can start to combat the enemy (Mr. AJAX Hack) is to know him. AJAX applications have so many point of hacker entry: cookies, querystring parameters, headers, and form inputs leave holes in your AJAX and how you plug them is the measure of security for your website's usage of AJAX. Know thine enemy!

我最喜欢的AJAX安全性章节肯定是第4章“ AJAX攻击面”。 就像我之前说的，开始与敌人战斗(AJAX Hack先生)的最好方法是认识他。 AJAX应用程序具有许多黑客入侵点：Cookie，查询字符串参数，标头和表单输入会在AJAX中留下漏洞，而如何插入它们则是网站使用AJAX的安全性度量。 认识你的敌人！

判决 (The Verdict)

AJAX Security is an important read for those looking to create any level of rich AJAX application. There's a lot of flash and awe that comes with AJAX but it can also leave your website vulnerable. It's important for the user to be in awe of the application, not the developer. Hoffman and Sullivan have authored a great book for developers with little to slightly above moderate experience with AJAX, the anti-flash.

对于希望创建任何级别的丰富AJAX应用程序的人员来说， AJAX安全性是一本重要的读物。 AJAX附带了很多功能，但也可能使您的网站容易受到攻击。 用户对应用程序(而不是开发人员)敬畏，这一点很重要。 霍夫曼(Hoffman)和沙利文(Sullivan)为开发人员撰写了一本很棒的书，对于那些几乎没有中等程度的反Flash AJAX经验的开发人员。

翻译自: https://davidwalsh.name/book-review-ajax-security-addison-wesley

ajax url: