Tuesday, November 7th, 2006
Often when you hear discussions regarding Ajax and security, its said that the issues remain the same as they were ten years ago: don’t trust user input, don’t expose sensitive data without encryption, code for security from day one, never display system errors messages, etc. While that is all true and good, one thing I heard from the Ajax Experience that stuck with me is that “ajax increases the typical amount of attack vectors“. We are hitting the server more often, with different transports, and often talking to remote servers as well for services. This will only become a bigger issue as cross domain ajax becomes more prevalent and libraries and tools make it easier to mash things up without having to know each individual services’ API. Do the developers you work with keep up to date on writing secure code? Have you seen your ajax app exploited by cross-site scripting attacks or sql injection, or are do you consider things “safe” because you are only doing intranet work?
With that in mind, Michel Sutton’s entry on ten common security mistakes might be a good refresher. His earlier entry on SQL injection is also worth a read, particularly if you are hand-coding sql and aren’t using a database library that handles parameterized SQL statements for you (though if thats the case you might have bigger issues…)
Recently I went looking for an authoritative book on web app security for some fun-filled weekend reading, and came up with very few hits. The closest I found was How to Break Web Software and Hacking Exposed Web Applications, Second Edition. How to Break Web Software has a bunch of good reviews and looks to be a good high level coverage of many of the common attacks. Hacking Exposed is a bit newer and has less reviews, though the first edition looked to be pretty well received. That title and cover are pretty painful, though. Is there an equivalent to the K&R C Book for web app security?
There are a ton of books on server security and locking down your OS, but not much that targets web applications specifically. Any other good suggestions? Any web security blogs worth subscribing to?
Posted by Rob Sanheim at 8:00 am