Verfügbarkeit: XSS attacks :: THWS Bibkatalog

XSS attacks: cross-site scripting exploits and defense

Gespeichert in:

Bibliographische Detailangaben
Format:	Buch
Sprache:	English
Veröffentlicht:	Burlington, Mass. Syngress 2007
Schlagworte:	Sites Web - Sécurité - Mesures Web - Sécurité - Mesures World Wide Web > Security measures Web sites > Security measures
Online-Zugang:	Publisher description Inhaltsverzeichnis
Beschreibung:	XIV, 448 S. Ill., graph. Darst.
ISBN:	9781597491549 1597491543

Internformat

MARC


LEADER	00000nam a2200000zc 4500
001	BV035540047
003	DE-604
005	20090604
007	t
008	090527s2007 xxuad\|\| \|\|\|\| 00\|\|\| eng d
010			\|a 2007276594
020			\|a 9781597491549 \|9 978-1-597-49154-9
020			\|a 1597491543 \|9 1-597-49154-3
035			\|a (OCoLC)144227881
035			\|a (DE-599)BVBBV035540047
040			\|a DE-604 \|b ger \|e aacr
041	0		\|a eng
044			\|a xxu \|c US
049			\|a DE-739
050		0	\|a TK5105.59
082	0		\|a 005.8 \|2 22
084			\|a ST 276 \|0 (DE-625)143642: \|2 rvk
245	1	0	\|a XSS attacks \|b cross-site scripting exploits and defense \|c Jeremiah Grossman, ... [et al.]
246	1	3	\|a Cross site scripting attacks
264		1	\|a Burlington, Mass. \|b Syngress \|c 2007
300			\|a XIV, 448 S. \|b Ill., graph. Darst.
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
650		4	\|a Sites Web - Sécurité - Mesures
650		4	\|a Web - Sécurité - Mesures
650		4	\|a World Wide Web \|x Security measures
650		4	\|a Web sites \|x Security measures
700	1		\|a Grossman, Jeremiah \|e Sonstige \|4 oth
856	4		\|u http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html \|3 Publisher description
856	4	2	\|m Digitalisierung UB Passau \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=017596118&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
999			\|a oai:aleph.bib-bvb.de:BVB01-017596118

Datensatz im Suchindex

_version_	1804139179589763072
adam_text	Contents Chapter 1 Cross-site Scripting Fundamentals ...........1 Introduction .....................................2 Web Application Security ..........................4 XML and AJAX Introduction ........................6 Summary ......................................11 Solutions Fast Track ..............................11 Frequently Asked Questions ........................12 Chapter 2 The XSS Discovery Toolkit ................15 Introduction ....................................16 Burp .........................................16 Debugging DHTML With Firefox Extensions ...........21 DOM Inspector ..............................21 Web Developer Firefox Extension .................26 Insert Edit HTML Picture ....................27 XSS Example in Web Developer Web Site .........28 FireBug ....................................29 Analyzing HTTP Traffic with Firefox Extensions .........35 LiveHTTPHeaders ............................35 ModifyHeaders ...............................39 TamperData .................................42 GreaseMonkey ..................................46 GreaseMonkey Internals ........................47 Creating and Installing User Scripts ................50 PostInterpreter.............................52 XSS Assistant ..............................54 Active Exploitation with GreaseMonkey ............55 Hacking with Bookmarklets ........................57 Using Technika..................................60 Summary ......................................63 Solutions Fast Track ..............................64 Frequently Asked Questions ........................65 Chapter 3 XSS Theory .............................67 Introduction ....................................68 Getting XSS ed .................................68 Non-persistent ...............................69 DOM-based .................................73 Persistent ...................................75 DOM-based XSS In Detail .........................75 Identifying DOM-based XSS Vulnerabilities ..........76 Exploiting Non-persistent DOM-based XSS Vulnerabilities ..................80 Exploiting Persistent DOM-based XSS Vulnerabilities . . .82 Preventing DOM-based XSS Vulnerabilities ..........84 Redirection ....................................86 Redirection Services ...........................90 Referring URLs ..............................91 CSRF ........................................93 Flash, QuickTime, PDF, Oh My .....................97 Playing with Flash Fire .........................98 Hidden PDF Features .........................105 QuickTime Hacks for Fun and Profit ..............116 Backdooring Image Files .......................121 HTTP Response Injection ........................123 Source vs. DHTML Reality .......................125 Bypassing XSS Length Limitations ...................131 XSS Filter Evasion ..............................133 When Script Gets Blocked .....................139 Browser Peculiarities ..........................150 CSS Filter Evasion ............................152 XML Vectors ...............................154 Attacking Obscure Filters ......................155 Encoding Issues ..............................156 Summary .....................................159 Solutions Fast Track .............................159 Frequently Asked Questions .......................162 Chapter 4 XSS Attack Methods ....................163 Introduction ...................................164 History Stealing ................................164 JavaScript/CSS API getComputedStyle ...........164 Code for Firefox/Mozilla. May Work In Other Browsers .....................164 Stealing Search Engine Queries ..................167 JavaScript Console Error Login Checker ...........167 Intranet Hacking ................................173 Exploit Procedures ...........................174 Persistent Control ............................174 Obtaining NAT ed IP Addresses ...............176 Port Scanning ...............................177 Blind Web Server Fingerprinting .................180 Attacking the Intranet .........................181 XSS Defacements ...............................184 Summary .....................................188 Solutions Fast Track .............................188 Frequently Asked Questions .......................189 References ....................................190 Chapter 5 Advanced XSS Attack Vectors ............191 Introduction ...................................192 DNS Pinning ..................................192 Anti-DNS Pinning ...........................194 Anti-Anti-DNS Pinning .......................196 Anti-anti-anti-DNS Pinning AKA Circumventing Anti-anti-DNS Pinning ........196 Additional Applications of Anti-DNS Pinning .......197 IMAP3 .......................................199 MHTML .....................................204 Expect Vulnerability ..........................207 HackingJSON .................................209 Summary .....................................216 Frequently Asked Questions .......................217 Chapter б XSS Exploited ......................... 219 Introduction ...................................220 XSS vs. Firefox Password Manager ...................220 SeXXS Offenders ............................. . .223 Equifraked .................................. . .228 Finding the Bug .............................229 Building the Exploit Code ......................230 Owning the Cingular Xpress Mail User ...............232 The Xpress Mail Personal Edition Solution .........232 Seven.com .................................234 The Ackid (AKA Custom Session ID) .............234 The Inbox .................................235 The Document Folder .........................236 E-mail Cross-linkage ..........................237 CSFR Proof of Concepts ......................238 Cookie Grab .............................238 Xpressmail Snarfer .........................241 Owning the Documents .....................248 Alternate XSS: Outside the BoXXS ..................248 Owning the Owner ..........................249 The SILICA and CANVAS ...................249 Building the Scripted Share ...................250 Owning the Owner ........................251 Lessons Learned and Free Advertising ...........252 Airpwned with XSS ..........................252 XSS Injection: XSSing Protected Systems ...........256 The Decompiled Flash Method ................256 Application Memory Massaging — XSS via an Executable ......................261 XSS Old School - Windows Mobile PIE 4.2...........262 Cross-frame Scripting Illustrated .................263 XSSing Firefox Extensions ........................267 GreaseMonkey Backdoors ......................267 GreaseMonkey Bugs ..........................270 XSS the Backend: Snoopwned ...................275 XSS Anonymous Script Storage - TinyURL Oday .....277 XSS Exploitation: Point-Click-Own with EZPhotoSales . .285 Summary .....................................288 Solutions Fast Track .............................288 Frequently Asked Questions .......................291 Chapter 7 Exploit Frameworks ....................293 Introduction ...................................294 AttackAPI ....................................294 Enumerating the Client ........................298 Attacking Networks ..........................307 Hijacking the Browser .........................315 Controlling Zombies ..........................319 BeEF ........................................322 Installing and Configuring BeEF .................323 Controlling Zombies ..........................323 BeEF Modules ..............................325 Standard Browser Exploits ......................327 Port Scanning with BeEF ......................327 Inter-protocol Exploitation and Communication with BeEF .................328 CAL9000 .....................................330 XSS Attacks, Cheat Sheets, and Checklists ..........331 Encoder, Decoders, and Miscellaneous Tools .........334 HTTP Requests/Responses and Automatic Testing . . . .335 Overview of XSS-Proxy ..........................338 XSS-Proxy Hijacking Explained .................341 Browser Hijacking Details ....................343 Attacker Control Interface ...................346 Using XSS-Proxy: Examples ....................347 Setting Up XSS-Proxy ......................347 Injection and Initialization Vectors For XSS-Proxy .350 Handoff and CSRF With Hijacks ..............352 Sage and File:// Hijack With Malicious RSS Feed .354 Summary .....................................371 Solutions Fast Track .............................371 Frequently Asked Questions .......................372 Chapter 8 XSS Worms ...........................375 Introduction ...................................376 Exponential XSS ................................376 XSS Warhol Worm ..............................379 Linear XSS Worm ...............................380 Samy Is My Hero ...............................386 Summary .....................................391 Solutions Fast Track .............................391 Frequently Asked Questions .......................393 Chapter 9 Preventing XSS Attacks .................395 Introduction ...................................396 Filtering ......................................396 Input Encoding .................................400 Output Encoding ...............................402 Web Browser s Security ...........................402 Browser Selection ............................403 Add More Security To Your Web Browser ..........403 Disabling Features ............................404 Use a Virtual Machine .........................404 Don t Click On Links in E-mail, Almost Ever ........404 Defend your Web Mail ........................404 Beware of Overly Long URL s ...................404 URL Shorteners .............................405 Secrets Questions and Lost Answers ...............405 Summary .....................................406 Solutions Fast Track .............................406 Frequently Asked Questions .......................407 Appendix A The Owned List ......................409 Index .........................................439
any_adam_object	1
building	Verbundindex
bvnumber	BV035540047
callnumber-first	T - Technology
callnumber-label	TK5105
callnumber-raw	TK5105.59
callnumber-search	TK5105.59
callnumber-sort	TK 45105.59
callnumber-subject	TK - Electrical and Nuclear Engineering
classification_rvk	ST 276
ctrlnum	(OCoLC)144227881 (DE-599)BVBBV035540047
dewey-full	005.8
dewey-hundreds	000 - Computer science, information, general works
dewey-ones	005 - Computer programming, programs, data, security
dewey-raw	005.8
dewey-search	005.8
dewey-sort	15.8
dewey-tens	000 - Computer science, information, general works
discipline	Informatik
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01537nam a2200409zc 4500</leader><controlfield tag="001">BV035540047</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20090604 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">090527s2007 xxuad\|\| \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="010" ind1=" " ind2=" "><subfield code="a">2007276594</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781597491549</subfield><subfield code="9">978-1-597-49154-9</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">1597491543</subfield><subfield code="9">1-597-49154-3</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)144227881</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV035540047</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">aacr</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">xxu</subfield><subfield code="c">US</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-739</subfield></datafield><datafield tag="050" ind1=" " ind2="0"><subfield code="a">TK5105.59</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">005.8</subfield><subfield code="2">22</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 276</subfield><subfield code="0">(DE-625)143642:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">XSS attacks</subfield><subfield code="b">cross-site scripting exploits and defense</subfield><subfield code="c">Jeremiah Grossman, ... [et al.]</subfield></datafield><datafield tag="246" ind1="1" ind2="3"><subfield code="a">Cross site scripting attacks</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Burlington, Mass.</subfield><subfield code="b">Syngress</subfield><subfield code="c">2007</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XIV, 448 S.</subfield><subfield code="b">Ill., graph. Darst.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Sites Web - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Web - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">World Wide Web</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Web sites</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Grossman, Jeremiah</subfield><subfield code="e">Sonstige</subfield><subfield code="4">oth</subfield></datafield><datafield tag="856" ind1="4" ind2=" "><subfield code="u">http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html</subfield><subfield code="3">Publisher description</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=017596118&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-017596118</subfield></datafield></record></collection>
id	DE-604.BV035540047
illustrated	Illustrated
indexdate	2024-07-09T21:39:58Z
institution	BVB
isbn	9781597491549 1597491543
language	English
lccn	2007276594
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-017596118
oclc_num	144227881
open_access_boolean
owner	DE-739
owner_facet	DE-739
physical	XIV, 448 S. Ill., graph. Darst.
publishDate	2007
publishDateSearch	2007
publishDateSort	2007
publisher	Syngress
record_format	marc
spelling	XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.] Cross site scripting attacks Burlington, Mass. Syngress 2007 XIV, 448 S. Ill., graph. Darst. txt rdacontent n rdamedia nc rdacarrier Sites Web - Sécurité - Mesures Web - Sécurité - Mesures World Wide Web Security measures Web sites Security measures Grossman, Jeremiah Sonstige oth http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html Publisher description Digitalisierung UB Passau application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=017596118&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	XSS attacks cross-site scripting exploits and defense Sites Web - Sécurité - Mesures Web - Sécurité - Mesures World Wide Web Security measures Web sites Security measures
title	XSS attacks cross-site scripting exploits and defense
title_alt	Cross site scripting attacks
title_auth	XSS attacks cross-site scripting exploits and defense
title_exact_search	XSS attacks cross-site scripting exploits and defense
title_full	XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.]
title_fullStr	XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.]
title_full_unstemmed	XSS attacks cross-site scripting exploits and defense Jeremiah Grossman, ... [et al.]
title_short	XSS attacks
title_sort	xss attacks cross site scripting exploits and defense
title_sub	cross-site scripting exploits and defense
topic	Sites Web - Sécurité - Mesures Web - Sécurité - Mesures World Wide Web Security measures Web sites Security measures
topic_facet	Sites Web - Sécurité - Mesures Web - Sécurité - Mesures World Wide Web Security measures Web sites Security measures
url	http://www.loc.gov/catdir/enhancements/fy0733/2007276594-d.html http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=017596118&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT grossmanjeremiah xssattackscrosssitescriptingexploitsanddefense AT grossmanjeremiah crosssitescriptingattacks

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Inhaltsverzeichnis

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge