Web 2.0 Security: Defending Ajax, RIA, and SOA [NOOK Book]

Overview

Service-Oriented Architecure (SOA), Rich Internet Applications (RIA), and Asynchronous Java and eXtended Markup Language (Ajax) comprise the backbone behind now-widespread Web 2.0 applications, such as MySpace, Google Maps, Flickr, and Live.com. Although these robust tools make next-generation Web applications possible, they also add new security concerns to the fi eld of Web application security. Yamanner-, Sammy-, and Spaceflash-type worms are exploiting client-side Ajax frameworks, providing new avenues of ...

See more details below
Web 2.0 Security: Defending Ajax, RIA, and SOA

Available on NOOK devices and apps  
  • NOOK Devices
  • NOOK HD/HD+ Tablet
  • NOOK
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK Study
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$34.99
BN.com price

Overview

Service-Oriented Architecure (SOA), Rich Internet Applications (RIA), and Asynchronous Java and eXtended Markup Language (Ajax) comprise the backbone behind now-widespread Web 2.0 applications, such as MySpace, Google Maps, Flickr, and Live.com. Although these robust tools make next-generation Web applications possible, they also add new security concerns to the fi eld of Web application security. Yamanner-, Sammy-, and Spaceflash-type worms are exploiting client-side Ajax frameworks, providing new avenues of attack, and compromising confidential information. Portals such as Google, Netflix, Yahoo, and MySpace have witnessed new vulnerabilities recently, and these vulnerabilities can be leveraged by attackers to perform phishing, cross-site scripting (XSS), and cross-site request forgery (CSRF) exploitation. Web 2.0 Security: Defending Ajax, RIA, and SOA covers the new field of Web 2.0 security. Written for security professionals and developers, the book explores Web 2.0 hacking methods and helps enhance next-generation security controls for better application security. Readers will gain knowledge in advanced footprinting and discovery techniques; Web 2.0 scanning and vulnerability detection methods; Ajax and Flash hacking methods; SOAP, REST, and XML-RPC hacking; RSS/Atom feed attacks; fuzzing and code review methodologies and tools; and tool building with Python, Ruby, and .NET. Whether you're a computer security professional, a developer, or an administrator, Web 2.0 Security: Defending Ajax, RIA, and SOA is the only book you will need to prevent new Web 2.0 security threats from harming your network and compromising your data.

Read More Show Less

Product Details

  • ISBN-13: 9781584506065
  • Publisher: Course Technology PTR
  • Publication date: 1/12/2007
  • Sold by: CENGAGE LEARNING
  • Format: eBook
  • File size: 6 MB

Meet the Author

Shreeraj Shah, B.E., MSCS, MBA, is a co-founder of Blueinfy and SecurityExposure, companies that provide application security and On Demand Scanning services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank, and IBM in information security. Shreeraj has played an instrumental role in product development, researching new methodologies, and training designs. He has performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews, and managing projects (Products/Services). He is the author of Web 2.0 Security (Cengage Learning, 2007), Hacking Web Services (Thomson Learning, 2006), and Web Hacking: Attacks and Defense (Addison-Wesley, 2002). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA, and OWASP. His articles are regularly published on Securityfocus, InformIT, DevX, O'reilly, and HNS. His work has been quoted on BBC, Dark Reading, and Bank Technology as an expert.

Read More Show Less

Table of Contents

SECTION 1 - WEB2.0 INTRODUCTION AND SECURITY Chapter 1 Web 2.0 Apps - Introduction and Components Chapter objectives Web 2.0 introduction and security concerns Web 2.0 application evolution and architecture - SOA, Ajax & RIA Web 2.0 application information flow Web 2.0 application - components, technologies & security Conclusion References and readings Chapter 2 Web 2.0 - Languages and Protocols Chapter objectives Web 2.0 application layers Application server side languages Application client side languages Transport protocols Information and data structures Web 2.0 toolkits and frameworks Conclusion References and readings Chapter 3 Security issues around Web 2.0 Chapter objectives Web 2.0 attack points Web 2.0 threats and its impacts Web 2.0 Vulnerabilities and threat modeling Web 2.0 analysis frameworks Web 2.0 security controls Conclusion References and readings Case Study 1 - BlueFlakes : Community portal Leveraging Web 2.0 and security SECTION 2 - WEB2.0 APPLICATION PROFILING & VULNERABILITY MAPPING Chapter 4 Footprinting & Discovering Web 2.0 resources Chapter objectives Target (host) identification Methods of application footprinting XML services footprinting Conclusion References and readings Chapter 5 Scanning and Vulnerability mapping for Web 2.0 apps Chapter objectives Crawling web application Browsing the application and collecting information - Ajax calls Identifying potential targets Data exchange analysis and stream identification Mapping resource for potential vulnerabilities Conclusion References and readings Case Study 2 - BlueBank : Profiling Banking application - SECTION 3 - WEB2.0 ATTACK VECTORS AND COUNTERMEASURE Chapter 6 Ajax security Chapter objectives Ajax security issues Ajax streams and information exchange Ajax and DOM manipulation Client side security vulnerabilities - XSS & XSRF with case Ajax end points - server side issues Countermeasure for Ajax security Conclusion References and readings Chapter 7 Rich internet application security Chapter objectives RIA security issues Flash based application and decoding Reverse engineering the flash Cross domain issues Countermeasure for RIA security Conclusion References and readings Chapter 8 SOA security - XML-RPC, REST & SOAP Chapter objectives SOA security issues Entry points analysis for XML services XML-RPC attacks REST application attacks SOAP based applications and security holes Ajax interaction with XML services and security flaws Countermeasures for XML services Conclusion References and readings Chapter 9 Browser security & Web 2.0 Exploits Chapter objectives Browser security overview Cross domain issues Client side exploitation and engines Defending and countermeasures Conclusion References and readings SECTION 4 - WEB 2.0 APPLICATION TESTING AND HARDENING Chapter 10 Web 2.0 application fuzzing and vulnerability mapping Chapter objectives Web 2.0 application fuzzing Building a tool to fuzz Fuzzing web services Fuzzing client side with streams Vulnerability detection with fuzzing Conclusion References and readings Chapter 11 Secure coding for Web 2.0 applications Chapter objectives Whitebox approach with code review Building a code review tool Secure coding with Web 2.0 Hardening Web 2.0 holes with code Conclusion References and readings Chapter 12 Hardening Web 2.0 application with configurations and content filtering Chapter objectives Deployment and configuration testing Hardening configuration Scanning tool for configuration Content filtering concept Filtering with Apache Filtering with IIS Browser filtering with javascripts Conclusion References and readings SECTION 5 - APPENDIX

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star

(1)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted March 8, 2008

    A reviewer

    Are you a security- professional or developer? If you are, this book is for you! Author Shreeraj Shah, has done an outstanding job of writing a great book that explores Web 2.0 hacking methods. Shah, begins by covering real life Web 2.0 applications that offer a better perspective on the overall infrastructure. Next, the author focuses on the overall Web 2.0 changes and their impact on security. Then, he discusses Web services footprinting and identifies access points for SOA as well as an understanding of application discovery and profiling to identify internal Web 2.0 resources. The author continues by discussing the XSS attack vector and its security implications for Web 2.0 applications. In addition, the author explores the security concerns growing around RSS, mashup, and widgets. He also provides an overview of SOA and the security concerns associated with it. Next, the author takes a look at ModSecurity for Apache and IhttpModule for the .NET framework, as well as some tricks with which you can identify Ajax-based requests and act upon them on the server side. Finally, he covers some interesting tools, techniques, references, and cheat sheets. This most excellent book addresses several critical aspects of Web 2.0 security/. What¿s most important though, is that this book addresses in detail both tactical attack vectors and defense strategies, while focussing on web 2.0.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)