Our Ajax Security book from Addison Wesley has been published! By now I'm sure everyone is tried of me talking about the book and its merits, so let's see what some of experts in the web security space are saying about it: Andrew van der Stock The Executive Director of OWASP reviewed a draft of Ajax Security and here is what he had to say ...

I got an email from Christ1an the other day asking me what Ajax Security was all about. I was just going to send him the table of contents to the book, but I thought it might be educational to see how the components of Ajax security relate, and where they come from. In Jeremiah's fascinating Web Application Professionals Survey less than 3% of ...

Its time again for AjaxWorld, the largest Ajax conference in the US. Bryan and I are thrilled. AjaxWorld offered us back-to-back sessions so we can do a 90+ minute workshop on how to break into Ajax applications. We will not only hit the major themes like increased attack surface, code transparency, etc, but are also demonstrating some more ...

When JSON hijacking was first discussed and demonstrated in 2006 and 2007 by Whitehat, Fortify and others, all of the proof of concepts used Mozilla specific JavaScript extensions like setter or __defineSetter__. This led many people to believe that these vulnerabilities only existed in Mozilla-derived browsers like Firefox because only those ...

I’m really excited to be speaking at Shmoocon again and especially excited about my presentation this Saturday at 1pm. Javascript Malware for a Gray Goo Tomorrow focuses on the increased scope of damage caused by Cross-Site Scripting (XSS) vulnerabilities in the last year. The Web 2.0 revolution has been built on the back of standards ...

Web 2.0 may be the most ill defined technology term to date. Everyone uses the term but I have yet to hear a decent definition of it. O'Reilly Media is credited with coining the phrase and Tim O'Reilly defines Web 2.0 as:             "Web 2.0 is the business revolution in ...

EW,  One of our engineers, Bryan Sullivan, recently wrote an article about teaching your QA department about how to test Ajax applications properly for security defects. It's a good read: http://www.devcity.net/Articles/273/1/article.aspx Enjoy!   Billy Hoffman -- Lead Researcher, SPI Labs SPI Dynamics Inc. – ...

Mark,  Thats an interesting plan, but I see a few sticky points.While you don't explicitly say it, you need to make sure the browser only adds that header to requests that are not made by JavaScript. The reason Ajax requests look like regular requests is because the browser actually makes both of them. The browser adds cookies data, HTTP ...

I have read and heard a lot of information about the new dangers related to Ajax enabled sites.  I am really interested in methods being used by the "pros" to test ajax heavy sites.   Request modifications must happen the same way as traditional web app testing ocurrs.  Catch the request in a proxy identify the changes ...

Please post any questions/comments/discussions you have with our Ajax (in)security webcast here and I'll do my best to answer them here. For those who haven't seen the WebCast yet, you can get there by going here: https://download.spidynamics.com/registration/AJAX_webcast.asp