[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: RE: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Date: Wed, 15 Aug 2007 12:06:21 -0400
------_=_NextPart_001_01C7DF56.2AA57087
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Just to be clear: Despite Andre putting all our names in the same
sentence, Christopher Wells wrote his book by himself for O'Reilly.
Bryan Sullivan or I have had no contact with him. We've been busy
writing our own book, Ajax Security, for Addison Wesley.

=20

In the interest of fairness, other people are working on some books in
this area as well. I know that Andrew Van Der Stock put his on hold with
all the moving and job stuff he's been up to. The iSec guys (Alex, Zane,
etc) are putting out a Hacking Exposed Web 2.0 book sometime this fall
as well.

=20

Hope this helps,

Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics, An HP Company

http://www.spidynamics.com

Phone:  678-781-4800

Direct:   678-781-4845

=20

=20

Attend SPICON 2.0 - SPI Dynamics' User Conference - and earn CPE
credits.=20
Sign up today at http://www.spicon2007.com/.

________________________________

From: Dean H. Saxe [mailto:dean@fullfrontalnerdity.com]=20
Sent: Tuesday, August 14, 2007 9:27 AM
To: WASC Forum
Subject: Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security

=20

Reading this threat I picked up a copy of the Securing AJAX Applications
book by Christopher Wells.  Too bad it only briefly touched on anything
specific to AJAX.  Honestly this was the first O'Reilly book I have ever
regretted purchasing since it has very little useful information that is
related directly to its title.  If you want a high level, generic view
of web app security, this might fit the bill...

=20

=20

-dhs

=20

Dean H. Saxe, CISSP, CEH

dean@fullfrontalnerdity.com

"To announce that there must be no criticism of the president, or that
we are to stand by the president right or wrong, is not only unpatriotic
and servile, but is morally treasonable to the American public."

    -- Theodore Roosevelt





=20

On Aug 11, 2007, at 11:17 PM, Billy Hoffman wrote:





Andre,

I will be putting up the slides on SPI's website very soon (we are all a
little business with post black hat stuff and the HP merger). I'll
forward the slides to you directly as well as a copy of the free
chapter.

Thanks for the interest, its going to be an awesome book,
Billy Hoffman
--
Lead Researcher, SPI Labs
Phone:  678-781-4800
Direct: 678-781-4845

-----Original Message-----
From: andreg@gmail.com on behalf of Andre Gironda
Sent: Fri 8/10/2007 7:59 PM
To: websecurity@webappsec.org
Subject: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security

When searching for "Securing Ajax Applications", I came across this
link:

http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLM00730072007-1
.htm

What I was really looking for was this - http://isbn.nu/9780596529314

But after reading both, I'm convinced that Christopher Wells, Billy
Hoffman, and Bryan Sullivan really know their stuff and explain all of
the concepts rather well.

Did anyone get a free print copy of the sample chapter from "Ajax
Security" after the `Premature Ajax-ulation' talk?  I'd be interested
to hear which chapter they included.  I'm also having a hard time
finding the slides for that presentation.  Will someone please point
me in the right direction?

Cheers,
dre

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



=20


------_=_NextPart_001_01C7DF56.2AA57087
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40"; =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/"; xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml"; =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#"; =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp"; =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc"; =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"; =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile"; =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"City"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
p
	{mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue style=3D'word-wrap: =
break-word;-khtml-nbsp-mode: space;
-khtml-line-break: after-white-space'>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Just to be clear: Despite Andre =
putting
all our names in the same sentence, Christopher Wells wrote his book by =
himself
for O&#8217;Reilly. Bryan Sullivan or I have had no contact with him.
We&#8217;ve been busy writing our own book, Ajax Security, for Addison =
Wesley.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>In the interest of fairness, other =
people
are working on some books in this area as well. I know that Andrew Van =
Der Stock
put his on hold with all the moving and job stuff he&#8217;s been up to. =
The iSec
guys (Alex, Zane, etc) are putting out a Hacking Exposed Web 2.0 book =
sometime
this fall as well.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hope this =
helps,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Billy =
Hoffman<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>--<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Lead Researcher, <st1:PersonName
tabIndex=3D"0"
style=3D"BACKGROUND-POSITION: left bottom; BACKGROUND-IMAGE: =
url(res://ietag.dll/#34/#1001); BACKGROUND-REPEAT: repeat-x"
w:st=3D"on">SPI Labs</st1:PersonName><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>SPI Dynamics, An HP =
Company</span></font><font
color=3Dnavy><span style=3D'color:navy'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>http://www.spidynamics.com<o:p></o:p=
></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Phone:&nbsp; =
678-781-4800<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Direct:&nbsp;&nbsp; =
678-781-4845<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DVerdana><span =
style=3D'font-size:
10.0pt;font-family:Verdana;color:navy'>Attend <b><span =
style=3D'font-weight:bold'>SPICON
2.0</span></b> - <st1:PersonName tabIndex=3D"0"
style=3D"BACKGROUND-POSITION: left bottom; BACKGROUND-IMAGE: =
url(res://ietag.dll/#34/#1001); BACKGROUND-REPEAT: repeat-x"
w:st=3D"on">SPI Dynamics</st1:PersonName>&#8217; User Conference - and =
earn CPE
credits. <br>
Sign up today at </span></font><b><font size=3D2 color=3Dblue =
face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:blue;font-weight:bold=
'><a
href=3D"http://www.spicon2007.com/"; =
title=3D"http://www.spicon2007.com/";>http://www.spicon2007.com/</a></span=
></font></b><font
size=3D2 color=3Dblue face=3DVerdana><span =
style=3D'font-size:10.0pt;font-family:Verdana;
color:blue'>.</span></font><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p></o:p></span></font></p>

</div>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Dean =
H. Saxe
[mailto:dean@fullfrontalnerdity.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, August 14, =
2007
9:27 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> WASC Forum<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: [WEB =
SECURITY] Rough
Cut of To-Be-Published <st1:City w:st=3D"on"><st1:place =
w:st=3D"on">Ajax</st1:place></st1:City>
Security</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Reading this threat I picked up a copy of the Securing AJAX
Applications book by Christopher Wells.&nbsp; Too bad it only briefly =
touched
on anything specific to <st1:City w:st=3D"on"><st1:place =
w:st=3D"on">AJAX</st1:place></st1:City>.&nbsp;
Honestly this was the first O'Reilly book I have ever regretted =
purchasing
since it has very little useful information that is related directly to =
its
title.&nbsp; If you want a high level, generic view of web app security, =
this
might fit the bill...<o:p></o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

<div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>-dhs<o:p></o:p></span></font></p>

<div><span style=3D'border-spacing: 0px =
0px;text-align:auto;-khtml-text-decorations-in-effect: none;
-apple-text-size-adjust: auto;orphans: 2;widows: 2;word-spacing:0px'>

<div>

<p class=3DMsoNormal><font size=3D1 color=3Dblack face=3DVerdana><span
style=3D'font-size:8.5pt;font-family:Verdana;color:black'><o:p>&nbsp;</o:=
p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D1 color=3Dblack face=3DVerdana><span
style=3D'font-size:8.5pt;font-family:Verdana;color:black'>Dean H. Saxe,
CISSP,&nbsp;CEH<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D1 color=3Dblack face=3DVerdana><span
style=3D'font-size:8.5pt;font-family:Verdana;color:black'><a
href=3D"mailto:dean@fullfrontalnerdity.com";>dean@fullfrontalnerdity.com</=
a><o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D1 color=3Dblack face=3DVerdana><span
style=3D'font-size:8.5pt;font-family:Verdana;color:black'>&quot;To =
announce that
there must be no criticism of the president, or that we are to stand by =
the
president right or wrong, is not only unpatriotic and servile, but is =
morally
treasonable to the American public.&quot;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D1 color=3Dblack face=3DVerdana><span
style=3D'font-size:8.5pt;font-family:Verdana;color:black'>&nbsp; =
&nbsp;&nbsp;--
Theodore Roosevelt<o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D1 color=3Dblack face=3DVerdana><span
style=3D'font-size:8.5pt;font-family:Verdana;color:black'><br>
<br>
</span></font><o:p></o:p></p>

</div>

</span>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>On Aug 11, 2007, at 11:17 PM, Billy Hoffman =
wrote:<o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>

<p style=3D'margin-bottom:12.0pt'><font size=3D2 face=3D"Times New =
Roman"><span
style=3D'font-size:10.0pt'>Andre,<br>
<br>
I will be putting up the slides on SPI's website very soon (we are all a =
little
business with post black hat stuff and the HP merger). I'll forward the =
slides
to you directly as well as a copy of the free chapter.<br>
<br>
Thanks for the interest, its going to be an awesome book,<br>
Billy Hoffman<br>
--<br>
Lead Researcher, SPI Labs<br>
Phone:&nbsp; 678-781-4800<br>
Direct: 678-781-4845<br>
<br>
-----Original Message-----<br>
From: <a href=3D"mailto:andreg@gmail.com";>andreg@gmail.com</a> on behalf =
of Andre
Gironda<br>
Sent: Fri 8/10/2007 7:59 PM<br>
To: <a =
href=3D"mailto:websecurity@webappsec.org";>websecurity@webappsec.org</a><b=
r>
Subject: [WEB SECURITY] Rough Cut of To-Be-Published <st1:City =
w:st=3D"on"><st1:place
 w:st=3D"on">Ajax</st1:place></st1:City> Security<br>
<br>
When searching for &quot;Securing Ajax Applications&quot;, I came across =
this
link:<br>
<br>
<a
href=3D"http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLM007300=
72007-1.htm">http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLM0=
0730072007-1.htm</a><br>
<br>
What I was really looking for was this - <a =
href=3D"http://isbn.nu/9780596529314";>http://isbn.nu/9780596529314</a><br=
>
<br>
But after reading both, I'm convinced that Christopher Wells, Billy<br>
Hoffman, and Bryan Sullivan really know their stuff and explain all =
of<br>
the concepts rather well.<br>
<br>
Did anyone get a free print copy of the sample chapter from =
&quot;<st1:City
w:st=3D"on"><st1:place w:st=3D"on">Ajax</st1:place></st1:City><br>
Security&quot; after the `Premature Ajax-ulation' talk?&nbsp; I'd be =
interested<br>
to hear which chapter they included.&nbsp; I'm also having a hard =
time<br>
finding the slides for that presentation.&nbsp; Will someone please =
point<br>
me in the right direction?<br>
<br>
Cheers,<br>
dre<br>
<br>
-------------------------------------------------------------------------=
---<br>
Join us on IRC: irc.freenode.net #webappsec<br>
<br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a =
href=3D"http://www.webappsec.org/lists/websecurity/";>http://www.webappsec=
.org/lists/websecurity/</a><br>
<br>
Subscribe via RSS:<br>
<a =
href=3D"http://www.webappsec.org/rss/websecurity.rss";>http://www.webappse=
c.org/rss/websecurity.rss</a>
[RSS Feed]<br>
<br>
</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</div>

</div>

</body>

</html>

------_=_NextPart_001_01C7DF56.2AA57087--
Follow-Ups:
- Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
  - From: pdp (architect)
References:
- [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
  - From: Andre Gironda
- RE: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
  - From: Billy Hoffman
- Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
  - From: Dean H. Saxe
Prev by Date: Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Next by Date: Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Previous by thread: Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Next by thread: Re: [WEB SECURITY] Rough Cut of To-Be-Published Ajax Security
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org
Search this site