Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Books on XSS
Posted by: ryduh
Date: January 24, 2007 11:59AM

Hey guys, first post here but I've been lurking here for a little while. I'm looking to find some books on XSS. I've gotta write a research paper and since XSS really interests me, I thought I'd give it a go but we need some physical sources and not just sources from the web. Any suggestions would be greatly appreciated!

Options: ReplyQuote
Re: Books on XSS
Posted by: jungsonn
Date: January 24, 2007 12:03PM

Do you need academic papers as reference? or just plain books?

I have a Master’s Thesis on my server for download, it's a thing I currently study:

"Cross Site Scripting (XSS) Attack Prevention with Dynamic Data Tainting on the Client Side" Written by: Information Systems Institute
Distributed Systems Group Technical University of Vienna.

Actually pretty in-depth PDF what XSS is and how to prevent it form the client-side's browser.

U can download it here: http://www.jungsonnstudios.com/blog/xss_thesis.pdf



Edited 1 time(s). Last edit at 01/24/2007 12:14PM by jungsonn.

Options: ReplyQuote
Re: Books on XSS
Posted by: ryduh
Date: January 24, 2007 12:12PM

I guess anything would be fine. I could print out the academic papers and that should be good enough considering that XSS is semi-new and I haven't seen any books on just XSS.

---------
Patience is a waste of time.

Options: ReplyQuote
Re: Books on XSS
Posted by: ryduh
Date: January 24, 2007 12:18PM

Awesome! Thank you very much jungsonn!

I am planning on getting
Hacking Exposed Web Applications by Joel Scambray, lucky for me it's at my university library.

---------
Patience is a waste of time.

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: January 25, 2007 06:51PM

ryduh, before you go off and check out that book I just finished the section on XSS and not only is it thin but it's also missing a lot of stuff. They actually reference the XSS cheat sheet if you want to know more if that gives you any idea. To my knowledge there is no definitive body on XSS out there other than this website and all the collection of data in it and the brains of the people who visit it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: jungsonn
Date: January 26, 2007 05:32AM

Already plans for a book RSnake? I guess it's true, I never came across a book about it, some have a brief description but never any examples.

Options: ReplyQuote
Re: Books on XSS
Posted by: ryduh
Date: January 26, 2007 12:11PM

Too late, I already picked it up. I think I could have written that section on XSS. I have to have a few physical resources, not just from web, so I had to squeeze some sort of citation out of that section. Luckily, my professor understands about the lack of books on XSS and will be lenient with my paper.
RSnake, you should think about writing/publishing an XSS book. I would definitely purchase it and I know many others would too.

One question/suggestion about this forum, Does it have the capability to email users when a thread they have 'subscribed' to, or posted on gets a new message? I think if that was enabled or programmed, there would be more of a community. Also does it email when you receive a PM? Jungsonn I sent you a PM a couple days ago.

---------
Patience is a waste of time.



Edited 1 time(s). Last edit at 01/26/2007 12:12PM by ryduh.

Options: ReplyQuote
Re: Books on XSS
Posted by: Mephisto
Date: January 26, 2007 07:47PM

Write a book! Write a book!..."The Hackers Guide to XSS Vulnerabilities: Why you should be afraid, very afraid!"

Options: ReplyQuote
Re: Books on XSS
Posted by: WhiteAcid
Date: January 26, 2007 08:08PM

I'm allergic to anything written to scare people unless it's a legit reason. If the book actually had that text on the cover I'd quite likely not buy the book for that reason alone. I know that is literally judging a book by its cover but... well... it'd be an educated guess as to what's inside.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Books on XSS
Posted by: Mephisto
Date: January 26, 2007 08:19PM

Yeah, it's kind of a fatalistic title...but definitely an attention getter...

Options: ReplyQuote
Re: Books on XSS
Posted by: ryduh
Date: January 27, 2007 08:04PM

I think the title of my paper will be:

Cross Site Scripting (XSS) Vulnerabilities
Does your website have an XSS Condom?

The professor said he was alright with it!

---------
Patience is a waste of time.

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: January 27, 2007 09:52PM

I'm not going to comment on the specifics, but yes, a book is something that is currently on the table. When I have more to tell, trust me, you will all be the very first ones to know the details.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: January 28, 2007 12:20PM

Alright, I got permission from our publisher to talk specifics after I showed them this thread. Yes, we are in fact working on a book on XSS with Syngress publishing. The contributing authors are:

Jeremiah Grossman
Anton Rager
Seth Fogie
And last but not least, yours truly.

So yes, you outed us. We have a good chunk of the book already written, but it will still be a few more months by my estimate.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: kuza55
Date: January 28, 2007 04:43PM

If you're allowed to talk specifics, I have a few questions:

What skill level is the book designed for?
What audience is the book aimed at? (e.g. developers, pen testers, managers, etc?)
Any chance of seeing a working draft of the Table of Contents?

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: January 28, 2007 05:59PM

I think the audience is mostly for people who have only a little or no experience all the way up to the more experienced pen testers who don't know much about XSS prior to picking up the book. As far as the table of contents, I'll have to get back to you on that one. The way it reads right now is being updated as we are streamlining it. But when we get the details sorted I'll post more information.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: Mephisto
Date: January 29, 2007 06:34PM

How deep is the content of the book? Is it a high level discussion on what it is and what can be done and preventive measures or do you get down and dirty demonstrating attack vectors ranging from newbie to expert?

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: January 30, 2007 12:27PM

It's meant to be very thorough, but it's also meant to be able to be read by anyone who knows at least a little HTML and web programming.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: February 06, 2007 10:05AM

Sooo... yah... I guess the cat is out of the bag. Now you guys know who I am:

http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149/ref=sr_1_1/104-1412087-4929535?ie=UTF8&s=books

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: jungsonn
Date: February 06, 2007 10:29AM

Superb! OMG...544 pages! I guess I start bloggin now!

Options: ReplyQuote
Re: Books on XSS
Posted by: Kyran
Date: February 06, 2007 10:45AM

rsnake Wrote:
-------------------------------------------------------
> Sooo... yah... I guess the cat is out of the bag.
> Now you guys know who I am:

I knew already, hehe.

This is excellent. I'll have to pre-order it soon. Will it be available anywhere else?

- Kyran

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: February 06, 2007 10:58AM

Honestly, I have no idea... I'll ask around. I'm sure it will show up in Barnes and Noble and other book stores that carry tech books.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Books on XSS
Posted by: jungsonn
Date: February 06, 2007 11:06AM

You can order it anywhere I guess? it has an ISBN number, I don't have an Amazon account so I just order it at my local book store, done it before I just gave them the ISBN of a book. But i'm not sure about it can be done on every book though.

K so the blog item is up, think i'm the first? :)

Options: ReplyQuote
Re: Books on XSS
Posted by: Kyran
Date: February 06, 2007 11:07AM

By publisher it says March 1st, is that the release day?

~

Posted on it. #2?

- Kyran



Edited 2 time(s). Last edit at 02/06/2007 11:23AM by Kyran.

Options: ReplyQuote
Re: Books on XSS
Posted by: WhiteAcid
Date: February 06, 2007 11:13AM

Good thing it's on the .co.uk site too (though without the description). I'll place the pre-order in tonight.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Books on XSS
Posted by: hasse
Date: February 08, 2007 10:32AM

Nice! My birthday is in March, I think I know what I want now. :)

Options: ReplyQuote
Re: Books on XSS
Posted by: Mephisto
Date: February 10, 2007 12:19PM

Awesome! I'm pre-ordering it...

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: April 05, 2007 05:22PM

Okay, here is the basic outline of the book. It's nearly done now, but as you might imagine with several authors it changed quite a bit, in fact, I'm not even sure if this is totally correct, but it's pretty close:

- [] Preface
- [] What's in the book
- [] Conventions
- [] About the Author
- [] Acknowledgments

- [] Chapter 1 Web Fundamentals
- [] How it all began
- [] Web Application Security
- [] XML & AJAX

- [] Chapter 2 The XSS Toolkit
- [] Burp
- [] Debugging DHTML With Firefox Extensions
- [] DOM Inspector Firefox Extension
- [] WebDeveloper Firefox Extension
- [] FireBug Firefox Extension
- [] Debugging HTTP Traffic with Firefox Extensions
- [] LiveHTTPHeaders
- [] ModifyHeaders
- [] GreaseMonkey
- [] Technika
- [] Hacking with Bookmarklets

- [] Chapter 3 XSS Theory
- [] Persistent / HTML Injection/Non-Persistent
- [] DOM-based
- [] Redirection attacks
- [] CSRF for the Internet
- [] Flash, Quicktime, PDF, oh my
- [] Response Splitting
- [] XSS Hashing Injection
- [] Source vs. DHTML Reality
- [] Filter Evasion

- [] Chapter 4 XSS Attack Methods
- [] History stealing
- [] Intranet Hacking
- [] Defacement

- [] Chapter 5 Advanced XSS Attack Vectors
- [] DNS Pinning
- [] IMAP3
- [] MHTML
- [] JSON

- [] Chapter 6 XSS Exploited
- [] XSS vs. Firefox Password Manager
- [] XSS Defacement
- [] CRSF
- [] Alternate XSS Injection
- [] Owning the owners
- [] Airpwned
- [] Flash Decompile/Memory Debug
- [] XSS XFS
- [] XSS Extension Exploits
- [] Backend Snoopowned
- [] XSSing the Backend
- [] XSS Anonymous Storaged
- [] Point-Click-Own

- [] Chapter 7 Exploit Frameworks
- [] BeEF
- [] AttackAPI
- [] CAL9000
- [] XSS-Proxy / Zombie

- [] Chapter 8 Worms and Viruses
- [] Intro & warhol/flash worm
- [] XSS Linear Worm
- [] Samy Worm

- [] Chapter 9 Prevention and Protection
- [] Input validation
- [] Output filtering
- [] Web Browser's Security

- [] Appendix
- [] The Owned List

- RSnake
Gotta love it. http://ha.ckers.org



Edited 1 time(s). Last edit at 04/05/2007 05:22PM by rsnake.

Options: ReplyQuote
Re: Books on XSS
Posted by: hasse
Date: April 05, 2007 06:48PM

So the book's not quite done yet?

Amazon says:
Availability: Usually ships within 1 to 3 weeks.
Shipping estimate: April 12, 2007 - April 16, 2007
Delivery estimate: April 25, 2007 - May 10, 2007

Options: ReplyQuote
Re: Books on XSS
Posted by: christ1an
Date: April 05, 2007 06:50PM

Thank you, looking forward to read it soon.

Options: ReplyQuote
Re: Books on XSS
Posted by: rsnake
Date: April 05, 2007 10:39PM

hasse, funny you should mention it, pdp, Jeremiah, Seth and I were putting the final touches on the last parts today, so it should be press ready in a day or two.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.