XSS attacks cross-site scripting exploits and defense

XSS attacks cross-site scripting exploits and defense

Weitere Versionen anzeigen (4)
Gespeichert in:
Bibliographische Detailangaben
Format: Buch
Sprache:English
Veröffentlicht: Burlington, Mass. Syngress 2007
Schlagworte:
Sites Web - Sécurité - Mesures
Web - Sécurité - Mesures
World Wide Web > Security measures
Web sites > Security measures
Online-Zugang:Publisher description
Inhaltsverzeichnis
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!

MARC

LEADER 00000nam a2200000zc 4500
001 BV035540047
003 DE-604
005 20090604
007 t|
008 090527s2007 xxuad|| |||| 00||| eng d
010 |a 2007276594 
020 |a 9781597491549  |9 978-1-597-49154-9 
020 |a 1597491543  |9 1-597-49154-3 
035 |a (OCoLC)144227881 
035 |a (DE-599)BVBBV035540047 
040 |a DE-604  |b ger  |e aacr 
041 0 |a eng 
044 |a xxu  |c US 
049 |a DE-739 
050 0 |a TK5105.59 
082 0 |a 005.8  |2 22 
084 |a ST 276  |0 (DE-625)143642:  |2 rvk 
245 1 0 |a XSS attacks  |b cross-site scripting exploits and defense  |c Jeremiah Grossman, ... [et al.] 
246 1 3 |a Cross site scripting attacks 
264 1 |a Burlington, Mass.  |b Syngress  |c 2007 
300 |a XIV, 448 S.  |b Ill., graph. Darst. 
336 |b txt  |2 rdacontent 
337 |b n  |2 rdamedia 
338 |b nc  |2 rdacarrier 
650 4 |a Sites Web - Sécurité - Mesures 
650 4 |a Web - Sécurité - Mesures 
650 4 |a World Wide Web  |x Security measures 
650 4 |a Web sites  |x Security measures 
700 1 |a Grossman, Jeremiah  |e Sonstige  |4 oth 
856 4 |u http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html  |3 Publisher description 
856 4 2 |m Digitalisierung UB Passau  |q application/pdf  |u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=017596118&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA  |3 Inhaltsverzeichnis 
943 1 |a oai:aleph.bib-bvb.de:BVB01-017596118 

Datensatz im Suchindex

_version_ 1819583823176794112
adam_text Contents Chapter 1 Cross-site Scripting Fundamentals ...........1 Introduction .....................................2 Web Application Security ..........................4 XML and AJAX Introduction ........................6 Summary ......................................11 Solutions Fast Track ..............................11 Frequently Asked Questions ........................12 Chapter 2 The XSS Discovery Toolkit ................15 Introduction ....................................16 Burp .........................................16 Debugging DHTML With Firefox Extensions ...........21 DOM Inspector ..............................21 Web Developer Firefox Extension .................26 Insert Edit HTML Picture ....................27 XSS Example in Web Developer Web Site .........28 FireBug ....................................29 Analyzing HTTP Traffic with Firefox Extensions .........35 LiveHTTPHeaders ............................35 ModifyHeaders ...............................39 TamperData .................................42 GreaseMonkey ..................................46 GreaseMonkey Internals ........................47 Creating and Installing User Scripts ................50 PostInterpreter.............................52 XSS Assistant ..............................54 Active Exploitation with GreaseMonkey ............55 Hacking with Bookmarklets ........................57 Using Technika..................................60 Summary ......................................63 Solutions Fast Track ..............................64 Frequently Asked Questions ........................65 Chapter 3 XSS Theory .............................67 Introduction ....................................68 Getting XSS ed .................................68 Non-persistent ...............................69 DOM-based .................................73 Persistent ...................................75 DOM-based XSS In Detail .........................75 Identifying DOM-based XSS Vulnerabilities ..........76 Exploiting Non-persistent DOM-based XSS Vulnerabilities ..................80 Exploiting Persistent DOM-based XSS Vulnerabilities . . .82 Preventing DOM-based XSS Vulnerabilities ..........84 Redirection ....................................86 Redirection Services ...........................90 Referring URLs ..............................91 CSRF ........................................93 Flash, QuickTime, PDF, Oh My .....................97 Playing with Flash Fire .........................98 Hidden PDF Features .........................105 QuickTime Hacks for Fun and Profit ..............116 Backdooring Image Files .......................121 HTTP Response Injection ........................123 Source vs. DHTML Reality .......................125 Bypassing XSS Length Limitations ...................131 XSS Filter Evasion ..............................133 When Script Gets Blocked .....................139 Browser Peculiarities ..........................150 CSS Filter Evasion ............................152 XML Vectors ...............................154 Attacking Obscure Filters ......................155 Encoding Issues ..............................156 Summary .....................................159 Solutions Fast Track .............................159 Frequently Asked Questions .......................162 Chapter 4 XSS Attack Methods ....................163 Introduction ...................................164 History Stealing ................................164 JavaScript/CSS API getComputedStyle ...........164 Code for Firefox/Mozilla. May Work In Other Browsers .....................164 Stealing Search Engine Queries ..................167 JavaScript Console Error Login Checker ...........167 Intranet Hacking ................................173 Exploit Procedures ...........................174 Persistent Control ............................174 Obtaining NAT ed IP Addresses ...............176 Port Scanning ...............................177 Blind Web Server Fingerprinting .................180 Attacking the Intranet .........................181 XSS Defacements ...............................184 Summary .....................................188 Solutions Fast Track .............................188 Frequently Asked Questions .......................189 References ....................................190 Chapter 5 Advanced XSS Attack Vectors ............191 Introduction ...................................192 DNS Pinning ..................................192 Anti-DNS Pinning ...........................194 Anti-Anti-DNS Pinning .......................196 Anti-anti-anti-DNS Pinning AKA Circumventing Anti-anti-DNS Pinning ........196 Additional Applications of Anti-DNS Pinning .......197 IMAP3 .......................................199 MHTML .....................................204 Expect Vulnerability ..........................207 HackingJSON .................................209 Summary .....................................216 Frequently Asked Questions .......................217 Chapter б XSS Exploited ......................... 219 Introduction ...................................220 XSS vs. Firefox Password Manager ...................220 SeXXS Offenders ............................. . .223 Equifraked .................................. . .228 Finding the Bug .............................229 Building the Exploit Code ......................230 Owning the Cingular Xpress Mail User ...............232 The Xpress Mail Personal Edition Solution .........232 Seven.com .................................234 The Ackid (AKA Custom Session ID) .............234 The Inbox .................................235 The Document Folder .........................236 E-mail Cross-linkage ..........................237 CSFR Proof of Concepts ......................238 Cookie Grab .............................238 Xpressmail Snarfer .........................241 Owning the Documents .....................248 Alternate XSS: Outside the BoXXS ..................248 Owning the Owner ..........................249 The SILICA and CANVAS ...................249 Building the Scripted Share ...................250 Owning the Owner ........................251 Lessons Learned and Free Advertising ...........252 Airpwned with XSS ..........................252 XSS Injection: XSSing Protected Systems ...........256 The Decompiled Flash Method ................256 Application Memory Massaging — XSS via an Executable ......................261 XSS Old School - Windows Mobile PIE 4.2...........262 Cross-frame Scripting Illustrated .................263 XSSing Firefox Extensions ........................267 GreaseMonkey Backdoors ......................267 GreaseMonkey Bugs ..........................270 XSS the Backend: Snoopwned ...................275 XSS Anonymous Script Storage - TinyURL Oday .....277 XSS Exploitation: Point-Click-Own with EZPhotoSales . .285 Summary .....................................288 Solutions Fast Track .............................288 Frequently Asked Questions .......................291 Chapter 7 Exploit Frameworks ....................293 Introduction ...................................294 AttackAPI ....................................294 Enumerating the Client ........................298 Attacking Networks ..........................307 Hijacking the Browser .........................315 Controlling Zombies ..........................319 BeEF ........................................322 Installing and Configuring BeEF .................323 Controlling Zombies ..........................323 BeEF Modules ..............................325 Standard Browser Exploits ......................327 Port Scanning with BeEF ......................327 Inter-protocol Exploitation and Communication with BeEF .................328 CAL9000 .....................................330 XSS Attacks, Cheat Sheets, and Checklists ..........331 Encoder, Decoders, and Miscellaneous Tools .........334 HTTP Requests/Responses and Automatic Testing . . . .335 Overview of XSS-Proxy ..........................338 XSS-Proxy Hijacking Explained .................341 Browser Hijacking Details ....................343 Attacker Control Interface ...................346 Using XSS-Proxy: Examples ....................347 Setting Up XSS-Proxy ......................347 Injection and Initialization Vectors For XSS-Proxy .350 Handoff and CSRF With Hijacks ..............352 Sage and File:// Hijack With Malicious RSS Feed .354 Summary .....................................371 Solutions Fast Track .............................371 Frequently Asked Questions .......................372 Chapter 8 XSS Worms ...........................375 Introduction ...................................376 Exponential XSS ................................376 XSS Warhol Worm ..............................379 Linear XSS Worm ...............................380 Samy Is My Hero ...............................386 Summary .....................................391 Solutions Fast Track .............................391 Frequently Asked Questions .......................393 Chapter 9 Preventing XSS Attacks .................395 Introduction ...................................396 Filtering ......................................396 Input Encoding .................................400 Output Encoding ...............................402 Web Browser s Security ...........................402 Browser Selection ............................403 Add More Security To Your Web Browser ..........403 Disabling Features ............................404 Use a Virtual Machine .........................404 Don t Click On Links in E-mail, Almost Ever ........404 Defend your Web Mail ........................404 Beware of Overly Long URL s ...................404 URL Shorteners .............................405 Secrets Questions and Lost Answers ...............405 Summary .....................................406 Solutions Fast Track .............................406 Frequently Asked Questions .......................407 Appendix A The Owned List ......................409 Index .........................................439
any_adam_object 1
building Verbundindex
bvnumber BV035540047
callnumber-first T - Technology
callnumber-label TK5105
callnumber-raw TK5105.59
callnumber-search TK5105.59
callnumber-sort TK 45105.59
callnumber-subject TK - Electrical and Nuclear Engineering
classification_rvk ST 276
ctrlnum (OCoLC)144227881
(DE-599)BVBBV035540047
dewey-full 005.8
dewey-hundreds 000 - Computer science, information, general works
dewey-ones 005 - Computer programming, programs, data, security
dewey-raw 005.8
dewey-search 005.8
dewey-sort 15.8
dewey-tens 000 - Computer science, information, general works
discipline Informatik
format Book
fullrecord <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01538nam a2200409zc 4500</leader><controlfield tag="001">BV035540047</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20090604 </controlfield><controlfield tag="007">t|</controlfield><controlfield tag="008">090527s2007 xxuad|| |||| 00||| eng d</controlfield><datafield tag="010" ind1=" " ind2=" "><subfield code="a">2007276594</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781597491549</subfield><subfield code="9">978-1-597-49154-9</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">1597491543</subfield><subfield code="9">1-597-49154-3</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)144227881</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV035540047</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">aacr</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">xxu</subfield><subfield code="c">US</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-739</subfield></datafield><datafield tag="050" ind1=" " ind2="0"><subfield code="a">TK5105.59</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">005.8</subfield><subfield code="2">22</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 276</subfield><subfield code="0">(DE-625)143642:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">XSS attacks</subfield><subfield code="b">cross-site scripting exploits and defense</subfield><subfield code="c">Jeremiah Grossman, ... [et al.]</subfield></datafield><datafield tag="246" ind1="1" ind2="3"><subfield code="a">Cross site scripting attacks</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Burlington, Mass.</subfield><subfield code="b">Syngress</subfield><subfield code="c">2007</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XIV, 448 S.</subfield><subfield code="b">Ill., graph. Darst.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Sites Web - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Web - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">World Wide Web</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Web sites</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Grossman, Jeremiah</subfield><subfield code="e">Sonstige</subfield><subfield code="4">oth</subfield></datafield><datafield tag="856" ind1="4" ind2=" "><subfield code="u">http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html</subfield><subfield code="3">Publisher description</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&amp;doc_library=BVB01&amp;local_base=BVB01&amp;doc_number=017596118&amp;sequence=000002&amp;line_number=0001&amp;func_code=DB_RECORDS&amp;service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="943" ind1="1" ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-017596118</subfield></datafield></record></collection>
id DE-604.BV035540047
illustrated Illustrated
indexdate 2024-12-23T21:49:53Z
institution BVB
isbn 9781597491549
1597491543
language English
lccn 2007276594
oai_aleph_id oai:aleph.bib-bvb.de:BVB01-017596118
oclc_num 144227881
open_access_boolean
owner DE-739
owner_facet DE-739
physical XIV, 448 S. Ill., graph. Darst.
publishDate 2007
publishDateSearch 2007
publishDateSort 2007
publisher Syngress
record_format marc
spellingShingle XSS attacks cross-site scripting exploits and defense
Sites Web - Sécurité - Mesures
Web - Sécurité - Mesures
World Wide Web Security measures
Web sites Security measures
title XSS attacks cross-site scripting exploits and defense
title_alt Cross site scripting attacks
title_auth XSS attacks cross-site scripting exploits and defense
title_exact_search XSS attacks cross-site scripting exploits and defense
title_full XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.]
title_fullStr XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.]
title_full_unstemmed XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.]
title_short XSS attacks
title_sort xss attacks cross site scripting exploits and defense
title_sub cross-site scripting exploits and defense
topic Sites Web - Sécurité - Mesures
Web - Sécurité - Mesures
World Wide Web Security measures
Web sites Security measures
topic_facet Sites Web - Sécurité - Mesures
Web - Sécurité - Mesures
World Wide Web Security measures
Web sites Security measures
url http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html
http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=017596118&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv AT grossmanjeremiah xssattackscrosssitescriptingexploitsanddefense
AT grossmanjeremiah crosssitescriptingattacks

Ähnliche Einträge