XSS Book
I was wondering how long it would take for someone to make the suggestion, and a few days ago it finally happened - someone made the suggestion that I write a book on XSS. The idea would be to write a book that anyone could pick up and use as a reference to understand and combat XSS attacks. Whelp, as it turns out, I’ve been doing just that for months now. Yup, the people on the forum outed us.
Several months ago Syngress Publishing asked a few people to help contribute to a book on XSS. The contributing authors are Jeremiah Grossman, Anton Rager, Seth Fogie and yours truly. We are still several months away from completing the book, but we are well on our way. Sorry I didn’t tell you all earlier, but I was just finally allowed to start talking about it.
I’ll let you all know as the date gets closer. But if I’m not super quick on the posts and answering email, that’s part of what’s going on - too many irons in the fire these days!
January 28th, 2007 at 12:29 pm
Congratulations. If anybody ought to get to write a book on exploiting XSS, it’s you guys.
Now on the other hand, I sure hope that you guys heavily recommend output filtering rather than input checking. Notice how many posts you’ve done on MySpace alone because they can’t get the input validation right. There are a billion ways the data can come in, but only a few ways to encode it going out.
January 28th, 2007 at 12:58 pm
Nice. Well will there be any snips set free for us to read or will we have to all keep sat on the edge of our seats till the day of release. Im really looking forward to this book it’s a 100% sure buy.
January 28th, 2007 at 1:15 pm
Cool. Let us know when the book is out
I bet your biggest problem will be the rapid way things change in the field. Something you write today may be outdated in a couple of weeks so you’ll have to revise! I wish you patience
January 28th, 2007 at 1:39 pm
Aha! So that’s why you were saying that soon your real name would be out there.
January 28th, 2007 at 1:39 pm
…oh, and by the way, congrats on the book. Can’t wait to see it come out.
January 28th, 2007 at 1:41 pm
Hahah, yes, I thought of that - not only will my real name be released but you’ll all know my bio. Eesh!
January 28th, 2007 at 1:50 pm
Uhm… I actually like the idea to write a book dealing with (webapplication) security but why only cross site scripting? There would be so many other aspects you could discuss in a book.
Everything one needs to know about XSS can be found right on this page or on the forums. Why inventing the wheel new?
In my opinion it would be a far better idea to write a book which gives more than an introduction in the security theme. Adressed to people who already know the basic stuff.
Anyway, I’ll buy it
January 28th, 2007 at 2:21 pm
Hahaha… I think you’re right, XSS is a pretty small topic, but it’s really complicated and I think if we don’t document it properly it’s highly unlikely that anyone not knowing where to look would easily miss out on this site as a resource. A book is far more accessible. Other books in the future are too far off in the distant future for me to spend any more time thinking about. I’ve got too many side projects as it is!
January 28th, 2007 at 2:44 pm
Cool, I hope that You will make publish very soon.
January 28th, 2007 at 2:52 pm
E-book or “real” book? Or both?
Anyway, good luck writing it!
January 28th, 2007 at 3:31 pm
Real physical bound book.
January 28th, 2007 at 5:51 pm
BTW: www.Zive.cz - large Czech e-magazine on the internet has been hacked using XSS.
for details (CZ language only):
http://sysel.security-portal.cz/index.php?article=3
January 28th, 2007 at 7:32 pm
[…] So today’s write-up is short and sweet… I’m just going to take you back over to ha.ckers.org and another post that RSnake made today… For this one, I’ll just say that I think it’s a cool idea and I look forward to seeing the finished product. Now I’ll quote part of RSnake’s post: […]
January 28th, 2007 at 8:04 pm
Wow I’m looking forward to this! Just wondering, are you going to mostly cover XSS attacks? Or ways to prevent them?
January 28th, 2007 at 11:03 pm
@dusoft - can you translate that? I’d love to read it.
@spikeman - a lot of both, but primarily how the attacks work (at least the sections I’ve been working on thus far).
January 29th, 2007 at 6:08 am
Finally a way for managers to learn about XSS without having to ask IT people to let them bypass Websense
You really may want to consider a chapter in there designed for CIO management types doing risk analysis. Include examples for them to use in funding requests. Most of the people visiting here probably won’t buy the book, they know where to find the info they need online. But the less techie types that need a ‘dummies’ type book and the people doing ‘compliance’ will. Not as much fun but you have to pay the bills
But count me in, I hope to get mine autographed someday (with both your real name and online name!) Good luck.
January 29th, 2007 at 8:18 am
> But count me in, I hope to get mine autographed someday (with both your real name and online name!) Good luck.
So do I
January 29th, 2007 at 9:03 am
Well if you catch me at any con I’d definitely sign it. Who knows you might be able to sell the page with my signature on it for the approximate cost of tissue paper.
January 29th, 2007 at 9:27 am
Well, the right guys are going to write a book about XSS.
Very nice to hear that !
I will buy it immediately. Good luck !
January 29th, 2007 at 1:34 pm
Excellent! I couldn’t put together a better cast of characters to write it!
January 29th, 2007 at 1:48 pm
I’ll buy it for sure…. Best of luck !!
January 30th, 2007 at 6:23 am
RSnake: I can, but don’t have time
Basically check the link and go through the code blocks. In short, they did it this way :
inserted JS code into the discussions - only IMG insertion was allowed, so they inserted IMG with ONERROR attribute to call javascript. The Javascript then pointed to PHP script on the hacker’s server. The script added cookie to the visitor’s browser with the password string (pass string has been written to the page during the login or something)… The password string contained JS that sent the login details to the hacker’s server / PHP script. so, basically, he meant to catch only editors with user/pass details.
He received all of the editors accounts in few hours and thus he was able to login into the administration of the magazine.
hopefully, it is clear, if not then sorry.
February 6th, 2007 at 9:05 am
So I guess the cat is out of the bag… and so is my identity:
http://www.amazon.com/Cross-Site-Scripting-Attacks-Exploits/dp/1597491543/sr=1-1/qid=1170769149/ref=sr_1_1/104-1412087-4929535?ie=UTF8&s=books
February 6th, 2007 at 12:38 pm
Well, there’s really not much there we didn’t know, you’ve said you worked for Yahoo! (I think), you said you had contacts at eBay (which meant that you had probably worked there), and your name was on one of your papers: http://www.securityfocus.com/infocus/1368
Oh, and other than a book description I couldn’t find any details there, am I missing something, or is there no other info there?
February 6th, 2007 at 12:55 pm
I’ve never worked for Yahoo, but yes. For the people who didn’t stalk me, I’m sure it’s more of a surprise.
February 6th, 2007 at 1:10 pm
Hey RSnake, don’t worry about your identity, some people here might know your real identity for a long time now (including me). Just visit stuff like the following:
http://portal.spidynamics.com/forums/permalink/1049/1049/ShowThread.aspx#1049
http://www.owasp.org/images/a/ad/AppSec2005DC-Jeff_Williams-OWASP_AppSec_Guide_2.0.ppt (slide 33)
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-vanderstock.pdf (page 20)
http://www.blackhat.com/html/bh-usa-01/bh-usa-01-speakers.html
http://www.secureseo.com/robot-mapping/rmpv2a.cgi (copyright and email)
And of course the information’s on the OWASP Guide 2.0.1
For me you’re still RSnake
February 6th, 2007 at 2:01 pm
Hahah… I love it. I actually hadn’t seen that SPI Dynamics forum link.
… and to think, I didn’t get YOU anything.
But a few months ago, I decided it was about time to start telling more people who I really am. Being mostly anonymous was fun, but whatever, times change.
February 7th, 2007 at 12:25 am
@RSnake:
Well, I blame that mistake on the fact that it was 6:28 AM before I headed off to school…..And I’m not exactly a morning person,
February 16th, 2007 at 4:19 pm
[…] It is probably about time to announce that I am one of the authors of the XSS Book, RSnake talked about a month ago on his blog. The complete list of authors is: Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager and Petko Petkov (a.k.a me). […]
March 28th, 2007 at 11:06 pm
[…] Meanwhile you can keep reading about XSS in this blog. […]
April 30th, 2007 at 9:12 am
Книга про XSS
З початку цього року команда з п’яти фахівців з веб безпеки почала працювати над книгою про XSS. Як повідомив, ще в лютому, RSnake в своєму за…