Friday, February 20, 2009

Professional Excel Development or Ajax Security

Professional Excel Development: The Defenitive Guide to Developing Applications Using Microsoft Excel and VBA

Author: Stephen Bullen

Finally, there's a book that treats Excel as the powerful development platform it really is, and covers every facet of developing commercial-quality Excel applications.

This is not a book for beginners. Writing for professional developers and true Excel experts, the authors share insider's knowledge they've acquired building Excel applications for many of the world's largest companies—including Microsoft. Professional Excel Development demonstrates how to get the utmost from Excel, addressing everything from application architectures through worksheet and userform design, charting, debugging, error handling and optimizing performance. Along the way, the authors offer best practices for every type of Excel development, from building add-ins through interacting with XML Web services. Coverage includes

  • Building add-ins to provide new Excel functions

  • Designing effective worksheets, userforms and other user interface elements

  • Leveraging Excel's powerful data analysis features

  • Creating sophisticated custom charts

  • Handling errors, debugging applications and optimizing performance

  • Using class modules and interfaces to create custom objects

  • Understanding Windows API calls: when to use them, and how to modify them

  • Adding worksheet functions with

  • C-based XLLs

  • Programming with databases

  • Controlling external applications from Excel

  • Integrating with Visual Basic 6, VB.NET and Visual Studio Tools for Office

  • Using XML to import and export data and communicate with Web services

  • Providing help, securing, packaging anddistributing

The accompanying CD-ROM contains the book's sample timesheet application at every stage of construction, with detailed code comments. It also includes many examples of the concepts introduced in each chapter and a collection of the authors' Excel development utilities.

Slashdot.org

Gives you the tools to build applications that are much more than automated spreadsheets. Almost any program your imagination can devise can be created using the techniques given, which is a testimony to the power of Excel. Bash Microsoft if you want, but they do sometimes come up with a winner, and Professional Excel Development allows you to take full advantage of its capabilities.



Books about: Citizenship Papers or Spinoza

Ajax Security

Author: Billy Hoffman

The hands-on, practical primer for professionals who want to prevent Ajax-related security vulnerabilities

Ajax has the potential to revolutionize the Internet as we know it, but with this potential comes equally dangerous new security threats. Ajax Security exposes the minefield of security vulnerabilities inherent in the Ajax framework and provides a guide for developers to safely navigate through it and create a secure application.

Each chapter begins with a myth about Ajax security which is then debunked. Throughout the book, you will find case studies of actual exploited Ajax vulnerabilities to illustrate key points. The authors also include specific recommendations for securing Ajax applications for each of the major Web programming languages (.NET, Java, and PHP) as well as for the popular new language, Ruby on Rails.

With this book, you will learn to

  • Become familiar with security issue in the Web 2.0 world
  • Create secure Mashup websites
  • Identify vulnerabilities that may have crept in your code
  • Keep new vulnerabilities out of your code

Geared towards software developers who want to create Ajax Web applications that are secure from attack, Ajax Security will also benefit QA testers and pen-testers who want to find vulnerabilities in the Ajax applications that they test.












Table of Contents:
 Preface xvii

 Preface (The Real One) xvix

Chapter 1 Introduction to Ajax Security 1

 An Ajax Primer 2

  What Is Ajax? 2

  Asynchronous 3

  JavaScript 6

  XML 11

  Dynamic HTML (DHTML) 11

 The Ajax Architecture Shift 11

  Thick-Client Architecture 12

  Thin-Client Architecture 13

  Ajax: The Goldilocks of Architecture 15

  A Security Perspective: Thick-Client Applications 16

  A Security Perspective: Thin-Client Applications 17

  A Security Perspective: Ajax Applications 18

 A Perfect Storm of Vulnerabilities 19

  Increased Complexity, Transparency, and Size 19

  Sociological Issues 22

  Ajax Applications: Attractive and Strategic Targets 23

 Conclusions 24

Chapter 2 The Heist 25

 Eve 25

  Hacking HighTechVacations.net 26

  Hacking the Coupon System 26

  Attacking Client-Side Data Binding 32

  Attacking the Ajax API 36

 A Theft in the Night 42

Chapter 3 Web Attacks 45

 The Basic Attack Categories 45

  Resource Enumeration 46

  Parameter Manipulation 50

 Other Attacks 75

  Cross-Site Request Forgery (CSRF) 75

  Phishing 76

  Denial-of-Service (DoS) 77

 Protecting Web Applications from Resource Enumeration and Parameter

  Manipulation 77

  Secure Sockets Layer 78

 Conclusions 78

Chapter 4  Ajax Attack Surface 81

 Understanding the Attack Surface 81

 Traditional Web Application Attack Surface 83

  Form Inputs 83

  Cookies 84

  Headers 85

  Hidden Form Inputs 86

  Query Parameters 86

  Uploaded Files 89

 Traditional Web Application Attacks: A Report Card 90

 Web Service Attack Surface 92

  Web Service Methods 92

  Web Service Definitions 94

 Ajax Application Attack Surface 94

  The Origin of the Ajax Application Attack Surface 96

  Best of Both Worlds–for the Hacker 98

 Proper Input Validation 98

  The Problem with Blacklisting and Other Specific Fixes 99

  Treating the Symptoms Instead of the Disease 102

  Whitelist Input Validation 105

  Regular Expressions 109

  Additional Thoughts on Input Validation 109

 Validating Rich User Input 111

  Validating Markup Languages 111

  Validating Binary Files 113

  Validating JavaScript Source Code 114

  Validating Serialized Data 120

 The Myth of User-Supplied Content 122

 Conclusion 123

Chapter 5 Ajax Code Complexity 125

 Multiple Languages and Architectures 125

  Array Indexing 126

  String Operations 128

  Code Comments 129

  Someone Else’s Problem 130

 JavaScript Quirks 132

  Interpreted, Not Compiled 132

  Weakly Typed 133

 Asynchronicity 135

  Race Conditions 135

  Deadlocks and the Dining Philosophers Problem 139

  Client-Side Synchronization 144

 Be Careful Whose Advice You Take 144

 Conclusions 145

Chapter 6 Transparency in Ajax Applications 147

 Black Boxes Versus White Boxes 147

  Example: MyLocalWeatherForecast.com 150

  Example: MyLocalWeatherForecast.com “Ajaxified” 152

  Comparison Conclusions 156

 The Web Application as an API 156

  Data Types and Method Signatures 158

 Specific Security Mistakes 158

  Improper Authorization 159

  Overly Granular Server API 161

  Session State Stored in JavaScript 164

  Sensitive Data Revealed to Users 165

  Comments and Documentation Included in Client-Side Code 166

  Data Transformation Performed on the Client 167

 Security through Obscurity 172

  Obfuscation 173

 Conclusions 174

Chapter 7 Hijacking Ajax Applications 175

 Hijacking Ajax Frameworks 176

  Accidental Function Clobbering 176

  Function Clobbering for Fun and Profit 178

 Hijacking On-Demand Ajax 184

 Hijacking JSON APIs 190

  Hijacking Object Literals 195

  Root of JSON Hijacking 195

  Defending Against JSON Hijacking 196

 Conclusions 199

Chapter 8 Attacking Client-Side Storage 201

 Overview of Client-Side Storage Systems 201

  General Client-Side Storage Security 202

 HTTP Cookies 204

  Cookie Access Control Rules 206

  Storage Capacity of HTTP Cookies 211

  Lifetime of Cookies 215

  Additional Cookie Storage Security Notes 216

  Cookie Storage Summary 216

 Flash Local Shared Objects 218

  Flash Local Shared Objects Summary 225

 DOM Storage 226

  Session Storage 227

  Global Storage 229

  The Devilish Details of DOM Storage 231

  DOM Storage Security 233

  DOM Storage Summary 234

 Internet Explorer userData 235

  Security Summary 240

 General Client-Side Storage Attacks and Defenses 240

  Cross-Domain Attacks 241

  Cross-Directory Attacks 242

  Cross-Port Attacks 243

 Conclusions 243

Chapter 9 Offline Ajax Applications 245

 Offline Ajax Applications 245

 Google Gears 247

  Native Security Features and Shortcomings of Google Gears 248

  Exploiting WorkerPool 251

  LocalServer Data Disclosure and Poisoning 253

  Directly Accessing the Google Gears Database 257

  SQL Injection and Google Gears 258

  How Dangerous Is Client-Side SQL Injection? 262

 Dojo.Offline 264

  Keeping the Key Safe 265

  Keeping the Data Safe 266

  Good Passwords Make for Good Keys 267

 Client-Side Input Validation Becomes Relevant 268

 Other Approaches to Offline Applications 270

 Conclusions 270

Chapter 10 Request Origin Issues 273

 Robots, Spiders, Browsers, and Other Creepy Crawlers 273

  “Hello! My Name Is Firefox. I Enjoy Chunked Encoding, PDFs, and

  Long Walks on the Beach.” 275

 Request Origin Uncertainty and JavaScript 276

  Ajax Requests from the Web Server’s Point of View 276

  Yourself, or Someone Like You 280

  Sending HTTP Requests with JavaScript 282

  JavaScript HTTP Attacks in a Pre-Ajax World 284

  Hunting Content with XMLHttpRequest 286

  Combination XSS/XHR Attacks in Action 290

 Defenses 292

 Conclusions 294

Chapter 11 Web Mashups and Aggregators 295

 Machine-Consumable Data on the Internet 296

  Early 90’s: Dawn of the Human Web 296

  Mid 90s: The Birth of the Machine Web 297

  2000s: The Machine Web Matures 298

  Publicly Available Web Services 299

 Mashups: Frankenstein on the Web 301

  ChicagoCrime.org 302

  HousingMaps.com 303

  Other Mashups 304

 Constructing Mashups 304

  Mashups and Ajax 306

 Bridges, Proxies, and Gateways–Oh My! 308

  Ajax Proxy Alternatives 309

 Attacking Ajax Proxies 310

  Et Tu, HousingMaps.com? 312

 Input Validation in Mashups 314

  Aggregate Sites 317

 Degraded Security and Trust 324

 Conclusions 327

Chapter 12 Attacking the Presentation Layer 329

 A Pinch of Presentation Makes the Content Go Down 329

 Attacking the Presentation Layer 333

 Data Mining Cascading Style Sheets 334

 Look and Feel Hacks 337

  Advanced Look and Feel Hacks 341

 Embedded Program Logic 345

 Cascading Style Sheets Vectors 347

  Modifying the Browser Cache 348

 Preventing Presentation Layer Attacks 352

 Conclusion 353

Chapter 13 JavaScript Worms 355

 Overview of JavaScript Worms 355

  Traditional Computer Viruses 356

 JavaScript Worms 359

  JavaScript Worm Construction 361

  JavaScript Limitations 363

  Propagating JavaScript Worms 364

  JavaScript Worm Payloads 364

  Putting It All Together 372

 Case Study: Samy Worm 373

  How It Worked 374

  The Virus’ Payload 377

  Conclusions About the Samy Worm 379

 Case Study: Yamanner Worm (JS/Yamanner-A) 380

  How It Worked 380

  The Virus’ Payload 383

  Conclusions About the Yamanner Worm 384

 Lessons Learned from Real JavaScript Worms 387

 Conclusions 389

Chapter 14 Testing Ajax Applications 391

 Black Magic 391

 Not Everyone Uses a Web Browser to Browse the Web 396

  Catch-22 398

 Security Testing Tools–or Why Real Life Is Not Like Hollywood 399

  Site Cataloging 400

  Vulnerability Detection 401

  Analysis Tool: Sprajax 403

  Analysis Tool: Paros Proxy 406

  Analysis Tool: LAPSE (Lightweight Analysis for Program Security in Eclipse) 408

  Analysis Tool:WebInspect™ 409

 Additional Thoughts on Security Testing 411

Chapter 15 Analysis of Ajax Frameworks 413

 ASP.NET 413

  ASP.NET AJAX (formerly Atlas) 414

  ScriptService 417

  Security Showdown: UpdatePanel Versus ScriptService 419

  ASP.NET AJAX and WSDL 420

  ValidateRequest 424

  ViewStateUserKey 425

  ASP.NET Configuration and Debugging 426

 PHP 427

  Sajax 427

  Sajax and Cross-Site Request Forgery 430

 Java EE 431

  Direct Web Remoting (DWR) 432

 JavaScript Frameworks 434

  A Warning About Client-Side Code 435

  Prototype 435

 Conclusions 437

Appendix A Samy Source Code 439

Appendix B Source Code for Yamanner Worm 447

Index 453

No comments:

Post a Comment