XSS Attacks - Cross Site Scripting Exploits and Defence

Sat, 23 Jun 2007 09:47:27 GMT
by pdp

XSS is the New Buffer Overflow, JavaScript Malware is the New Shell Code.

"XSS Attacks - Cross Site Scripting Exploits and Defence" is a book project that I was involved into, together with Jeremiah Grossman, Robert "RSnake" Hansen, Anton Rager and last but not least, Seth Forgie - technical editor and coauthor. I must say, that the project was a lot of fun mashed with hard work and numerous sleepless nights. Till the end of the project, we were more then happy to get rid of it, but then we realized that the whole experience wasn't that bad, so we agreed to get our hands dirty on other book projects after we take a deserved rest. For some of us, it is sooner then we though.

The book is composed of 9 chapters in total. We covered topics such as:

  • exploit identification and protection
  • real XSS attacks - from the simplest session hijacking to hardcore spiders, persistent AJAX holes, etc
  • controlled XSS attacks via XSS proxies and bi-directional communication channels
  • JavaScript backdoors for PDF, Flash, QuickTime, MP3, Greasemonkey Scripts, FF Extensions, HTML pages, etc
  • implementation of malicious payloads with the help from attack frameworks such as AttackAPI

"XSS Attacks - Cross Site Scripting Exploits and Defence" is highly recommended to IT security experts, web app gurus, developers, newbies and in general everyone else who wants to learn about the secrets of XSS. There are still places for improvement, although I believe that the first edition is right on track. I cannot wait for the second edition which will include everything that has happened between now and then.

If you have a proposal, question, suggestion or correction, please let me know or contact Syngress directly.