I’ve had the manuscript of this book for about two weeks now. I approached this review from the point of view of having had a contract to write an Ajax security book myself, with No Starch Press. I actually approached Billy to see if he wanted to help write my book at Black Hat in 2006, but I never followed through… on either the book or chasing Billy down and getting on with the job. For those who wait, are those who do. Congrats to Billy in chasing down a publisher and getting a good co-author, and most of all – getting it done! Writing books is a hell on the social life, and I can’t imagine how many all-nighters they pulled to get this out the door.
So onto my mini-review.
Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.
I really liked the easy, laid back writing style. Must come from the laid back Atlanta-based authors (ps. I love it there). I don’t like it when authors write as if they are better than you by using big long words. Big long words just make my head hurt. Luckily, Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field, coining at least a few terms (cross-site flashing, for example).
The structure flows pretty well, building upon what you’ve already learnt. They bring you up a little bit at a time. That’s not to say that there’s nothing here if you’re a Jeff Williams or a Jeremiah Grossman or RSnake – there is advanced stuff, but the authors have to bring the newbie audience along for the ride. I think they do this in a way that helps the newbie more than it helps the experienced folks – but that’s fine: the experienced folks are already au fait with much of the discussed techniques.
Well, there’s not much wrong with the book. I would have preferred more real live examples rather than “cheating” with Firebug, but that’s a small quibble. If you can do it with Firebug, you code will be pwned sooner or later.
Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time. Yes, there is a lot of old stuff that has crept back in, but honestly, Ajax is *different* in some areas, and it creates new attack surface by definition. There’s nothing really wrong with saying “hey, here’s JSON injection which is new” or “hey, here’s a hybrid Ajax CSRF attack worm, and that’s new”, “hey, you’re adding 25,000 lines to run in the untrusted browser, I reckon the attack surface is going to be bigger and more easily exploited”.
The book also fails to deal with framework authors in any major way. There are so many (bad) Ajax frameworks out there right now. You can accidentally create one if you scratch some code the wrong way. In my view, web application security can only be improved by targeting the frameworks (in the hundreds) rather than targeting the huddled millions who code for a living. However, the book will only sell in the tens of thousands if you target the poor bunnies cutting code. In my view, I would have liked it if the book had covered what *frameworks* should do. Maybe this could be fixed in the second edition.
The book concentrates far too much on attacks, and not enough on building and architecting secure Ajax applications. This is typical of the usual penetration tester mindset, which gets you the hot girls and invites to the swankest parties. However, it leaves a lot to be desired from the software engineering front. We have to stop treating security like a black art – it has to move to being the very way we code, so much so that it hurts if we do it the bad old way. However, penetration testing is far sexier that software engineering, and I’m sure this will not hamper sales in any way (c.f. Hacking Exposed, etc).
If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserve success. Go buy this book. I can’t wait for it to come out.