Cenzic 232 Patent
Paid Advertising
web application security lab

XSS Book

I was wondering how long it would take for someone to make the suggestion, and a few days ago it finally happened - someone made the suggestion that I write a book on XSS. The idea would be to write a book that anyone could pick up and use as a reference to understand and combat XSS attacks. Whelp, as it turns out, I’ve been doing just that for months now. Yup, the people on the forum outed us.

Several months ago Syngress Publishing asked a few people to help contribute to a book on XSS. The contributing authors are Jeremiah Grossman, Anton Rager, Seth Fogie and yours truly. We are still several months away from completing the book, but we are well on our way. Sorry I didn’t tell you all earlier, but I was just finally allowed to start talking about it.

I’ll let you all know as the date gets closer. But if I’m not super quick on the posts and answering email, that’s part of what’s going on - too many irons in the fire these days!

31 Responses to “XSS Book”

  1. Sylvan von Stuppe Says:

    Congratulations. If anybody ought to get to write a book on exploiting XSS, it’s you guys.

    Now on the other hand, I sure hope that you guys heavily recommend output filtering rather than input checking. Notice how many posts you’ve done on MySpace alone because they can’t get the input validation right. There are a billion ways the data can come in, but only a few ways to encode it going out.

  2. inc - (v-wall staff) Says:

    Nice. Well will there be any snips set free for us to read or will we have to all keep sat on the edge of our seats till the day of release. Im really looking forward to this book it’s a 100% sure buy.

  3. Legionnaire Says:

    Cool. Let us know when the book is out :P

    I bet your biggest problem will be the rapid way things change in the field. Something you write today may be outdated in a couple of weeks so you’ll have to revise! I wish you patience :)

  4. Edward Z. Yang Says:

    Aha! So that’s why you were saying that soon your real name would be out there. :-)

  5. Edward Z. Yang Says:

    …oh, and by the way, congrats on the book. Can’t wait to see it come out.

  6. RSnake Says:

    Hahah, yes, I thought of that - not only will my real name be released but you’ll all know my bio. Eesh!

  7. Christian Matthies Says:

    Uhm… I actually like the idea to write a book dealing with (webapplication) security but why only cross site scripting? There would be so many other aspects you could discuss in a book.

    Everything one needs to know about XSS can be found right on this page or on the forums. Why inventing the wheel new?

    In my opinion it would be a far better idea to write a book which gives more than an introduction in the security theme. Adressed to people who already know the basic stuff.

    Anyway, I’ll buy it ;-)

  8. RSnake Says:

    Hahaha… I think you’re right, XSS is a pretty small topic, but it’s really complicated and I think if we don’t document it properly it’s highly unlikely that anyone not knowing where to look would easily miss out on this site as a resource. A book is far more accessible. Other books in the future are too far off in the distant future for me to spend any more time thinking about. I’ve got too many side projects as it is!

  9. Ivan Says:

    Cool, I hope that You will make publish very soon.

  10. Spyware Says:

    E-book or “real” book? Or both?

    Anyway, good luck writing it!

  11. RSnake Says:

    Real physical bound book. :)

  12. dusoft Says:

    BTW: www.Zive.cz - large Czech e-magazine on the internet has been hacked using XSS.
    for details (CZ language only):
    http://sysel.security-portal.cz/index.php?article=3

  13. .:Computer Defense:. » Today’s Tidbits. Says:

    […] So today’s write-up is short and sweet… I’m just going to take you back over to ha.ckers.org and another post that RSnake made today… For this one, I’ll just say that I think it’s a cool idea and I look forward to seeing the finished product. Now I’ll quote part of RSnake’s post: […]

  14. Spikeman Says:

    Wow I’m looking forward to this! Just wondering, are you going to mostly cover XSS attacks? Or ways to prevent them?

  15. RSnake Says:

    @dusoft - can you translate that? I’d love to read it.

    @spikeman - a lot of both, but primarily how the attacks work (at least the sections I’ve been working on thus far).

  16. John @ NIST.org Says:

    Finally a way for managers to learn about XSS without having to ask IT people to let them bypass Websense :-)

    You really may want to consider a chapter in there designed for CIO management types doing risk analysis. Include examples for them to use in funding requests. Most of the people visiting here probably won’t buy the book, they know where to find the info they need online. But the less techie types that need a ‘dummies’ type book and the people doing ‘compliance’ will. Not as much fun but you have to pay the bills ;-)

    But count me in, I hope to get mine autographed someday (with both your real name and online name!) Good luck.

  17. christ1an Says:

    > But count me in, I hope to get mine autographed someday (with both your real name and online name!) Good luck.

    So do I ;-)

  18. RSnake Says:

    Well if you catch me at any con I’d definitely sign it. Who knows you might be able to sell the page with my signature on it for the approximate cost of tissue paper. ;)

  19. Alex Says:

    Well, the right guys are going to write a book about XSS.
    Very nice to hear that !
    I will buy it immediately. Good luck !

  20. tx Says:

    Excellent! I couldn’t put together a better cast of characters to write it!

  21. Max Says:

    I’ll buy it for sure…. Best of luck !!

  22. dusoft Says:

    RSnake: I can, but don’t have time :(

    Basically check the link and go through the code blocks. In short, they did it this way :
    inserted JS code into the discussions - only IMG insertion was allowed, so they inserted IMG with ONERROR attribute to call javascript. The Javascript then pointed to PHP script on the hacker’s server. The script added cookie to the visitor’s browser with the password string (pass string has been written to the page during the login or something)… The password string contained JS that sent the login details to the hacker’s server / PHP script. so, basically, he meant to catch only editors with user/pass details.

    He received all of the editors accounts in few hours and thus he was able to login into the administration of the magazine.

    hopefully, it is clear, if not then sorry.

  23. RSnake Says:

    So I guess the cat is out of the bag… and so is my identity:

    http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149/ref=sr_1_1/104-1412087-4929535?ie=UTF8&s=books

  24. kuza55 Says:

    Well, there’s really not much there we didn’t know, you’ve said you worked for Yahoo! (I think), you said you had contacts at eBay (which meant that you had probably worked there), and your name was on one of your papers: http://www.securityfocus.com/infocus/1368

    Oh, and other than a book description I couldn’t find any details there, am I missing something, or is there no other info there?

  25. RSnake Says:

    I’ve never worked for Yahoo, but yes. For the people who didn’t stalk me, I’m sure it’s more of a surprise. ;)

  26. Sven Vetsch / Disenchant Says:

    Hey RSnake, don’t worry about your identity, some people here might know your real identity for a long time now (including me). Just visit stuff like the following:
    http://portal.spidynamics.com/forums/permalink/1049/1049/ShowThread.aspx#1049
    http://www.owasp.org/images/a/ad/AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt (slide 33)
    http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-vanderstock.pdf (page 20)
    http://www.blackhat.com/html/bh-usa-01/bh-usa-01-speakers.html
    http://www.secureseo.com/robot-mapping/rmpv2a.cgi (copyright and email)

    And of course the information’s on the OWASP Guide 2.0.1

    For me you’re still RSnake :)

  27. RSnake Says:

    Hahah… I love it. I actually hadn’t seen that SPI Dynamics forum link.

    … and to think, I didn’t get YOU anything. ;)

    But a few months ago, I decided it was about time to start telling more people who I really am. Being mostly anonymous was fun, but whatever, times change.

  28. kuza55 Says:

    @RSnake:

    Well, I blame that mistake on the fact that it was 6:28 AM before I headed off to school…..And I’m not exactly a morning person, ;)

  29. GNUCITIZEN » Author of the XSS Book Says:

    […] It is probably about time to announce that I am one of the authors of the XSS Book, RSnake talked about a month ago on his blog. The complete list of authors is: Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager and Petko Petkov (a.k.a me). […]

  30. XSS Crash Course (Part I) at busin3ss.name » spam 2.0 Says:

    […] Meanwhile you can keep reading about XSS in this blog. […]

  31. Websecurity - Веб безпека Says:

    Книга про XSS

    З початку цього року команда з п’яти фахівців з веб безпеки почала працювати над книгою про XSS. Як повідомив, ще в лютому, RSnake в своєму за…