The Browser Hacker's Handbook

Hackers exploit browser vulnerabilities to attack deep within networks

The Browser Hacker's Handbook gives a practical understanding of hacking the everyday web browser and using it as a beachhead to launch further attacks deep into corporate networks. Written by a team of highly experienced computer security experts, the handbook provides hands-on tutorials exploring a range of current attack methods.

The web browser has become the most popular and widely used computer "program" in the world. As the gateway to the Internet, it is part of the storefront to any business that operates online, but it is also one of the most vulnerable entry points of any system. With attacks on the rise, companies are increasingly employing browser-hardening techniques to protect the unique vulnerabilities inherent in all currently used browsers. The Browser Hacker's Handbook thoroughly covers complex security issues and explores relevant topics such as:
* Bypassing the Same Origin Policy
* ARP spoofing, social engineering, and phishing to access browsers
* DNS tunneling, attacking web applications, and proxying--all from the browser
* Exploiting the browser and its ecosystem (plugins and extensions)
* Cross-origin attacks, including Inter-protocol Communication and Exploitation

The Browser Hacker's Handbook is written with a professional security engagement in mind. Leveraging browsers as pivot points into a target's network should form an integral component into any social engineering or red-team security assessment. This handbook provides a complete methodology to understand and structure your next browser penetration test.

Autorentext
WADE ALCORN is the creator of the BeEF open source browser exploitation framework, among toolswatch.org's top 10 security tools. CHRISTIAN FRICHOT is a lead developer of BeEF, as well as a leader of the Perth Open Web Application Security Project. MICHELE ORRÙ is the lead core developer of BeEF, as well as a vulnerability researcher and social engineer.

Klappentext
Hackers exploit browser vulnerabilities to attack deep within networks The Browser Hacker's Handbook gives a practical understanding of hacking the everyday web browser and using it as a beachhead to launch further attacks deep into corporate networks. Written by a team of highly experienced computer security experts, the handbook provides hands-on tutorials exploring a range of current attack methods. The web browser has become the most popular and widely used computer "program" in the world. As the gateway to the Internet, it is part of the storefront to any business that operates online, but it is also one of the most vulnerable entry points of any system. With attacks on the rise, companies are increasingly employing browser-hardening techniques to protect the unique vulnerabilities inherent in all currently used browsers. The Browser Hacker's Handbook thoroughly covers complex security issues and explores relevant topics such as: * Bypassing the Same Origin Policy * ARP spoofing, social engineering, and phishing to access browsers * DNS tunneling, attacking web applications, and proxying--all from the browser * Exploiting the browser and its ecosystem (plugins and extensions) * Cross-origin attacks, including Inter-protocol Communication and Exploitation The Browser Hacker's Handbook is written with a professional security engagement in mind. Leveraging browsers as pivot points into a target's network should form an integral component into any social engineering or red-team security assessment. This handbook provides a complete methodology to understand and structure your next browser penetration test.

Inhalt
Introduction xv Chapter 1 Web Browser Security 1 A Principal Principle 2 Exploring the Browser 3 Symbiosis with the Web Application 4 Same Origin Policy 4 HTTP Headers 5 Markup Languages 5 Cascading Style Sheets 6 Scripting 6 Document Object Model 7 Rendering Engines 7 Geolocation 9 Web Storage 9 Cross-origin Resource Sharing 9 HTML5 10 Vulnerabilities 11 Evolutionary Pressures 12 HTTP Headers 13 Reflected XSS Filtering 15 Sandboxing 15 Anti-phishing and Anti-malware 16 Mixed Content 17 Core Security Problems 17 Attack Surface 17 Surrendering Control 20 TCP Protocol Control 20 Encrypted Communication 20 Same Origin Policy 21 Fallacies 21 Browser Hacking Methodology 22 Summary 28 Questions 28 Notes 29 Chapter 2 Initiating Control 31 Understanding Control Initiation 32 Control Initiation Techniques 32 Using Cross-site Scripting Attacks 32 Using Compromised Web Applications 46 Using Advertising Networks 46 Using Social Engineering Attacks 47 Using Man-in-the-Middle Attacks 59 Summary 72 Questions 73 Notes 73 Chapter 3 Retaining Control 77 Understanding Control Retention 78 Exploring Communication Techniques 79 Using XMLHttpRequest Polling 80 Using Cross-origin Resource Sharing 83 Using WebSocket Communication 84 Using Messaging Communication 86 Using DNS Tunnel Communication 89 Exploring Persistence Techniques 96 Using IFrames 96 Using Browser Events 98 Using Pop-Under Windows 101 Using Man-in-the-Browser Attacks 104 Evading Detection 110 Evasion using Encoding 111 Evasion using Obfuscation 116 Summary 125 Questions 126 Notes 127 Chapter 4 Bypassing the Same Origin Policy 129 Understanding the Same Origin Policy 130 Understanding the SOP with the DOM 130 Understanding the SOP with CORS 131 Understanding the SOP with Plugins 132 Understanding the SOP with UI Redressing 133 Understanding the SOP with Browser History 133 Exploring SOP Bypasses 134 Bypassing SOP in Java 134 Bypassing SOP in Adobe Reader 140 Bypassing SOP in Adobe Flash 141 Bypassing SOP in Silverlight 142 Bypassing SOP in Internet Explorer 142 Bypassing SOP in Safari 143 Bypassing SOP in Firefox 144 Bypassing SOP in Opera 145 Bypassing SOP in Cloud Storage 149 Bypassing SOP in CORS 150 Exploiting SOP Bypasses 151 Proxying Requests 151 Exploiting UI Redressing Attacks 153 Exploiting Browser History 170 Summary 178 Questions 179 Notes 179 Chapter 5 Attacking Users 183 Defacing Content 183 Capturing User Input 187 Using Focus Events 188 Using Keyboard Events 190 Using Mouse and Pointer Events 192 Using Form Events 195 Using IFrame Key Logging 196 Social Engineering 197 Using TabNabbing 198 Using the Fullscreen 199 Abusing UI Expectations 204 Using Signed Java Applets 223 Privacy Attacks 228 Non-cookie Session Tracking 230 Bypassing Anonymization 231 Attacking Password Managers 234 Controlling the Webcam and Microphone 236 Summary 242 Questions 243 Notes 243 Chapter 6 Attacking Browsers 247 Fingerprinting Browsers 248 Fingerprinting using HTTP Headers 249 Fingerprinting using DOM Properties 253 Fingerprinting using Software Bugs 258 Fingerprinting using Quirks 259 Bypassing Cookie Protections 260 Understanding the Structure 261 Understanding Attributes 263 Bypassing Path Attribute Restrictions 265 Overflowing the Cookie Jar 268 Using Cookies for Tracking 270 Sidejacking Attacks 271 Bypassing HTTPS 272 Downgrading HTTPS to HTTP 272 Attacking Certificates 276 Attacking the SSL/TLS Layer 277 Abusing Schemes 278 Abusing iOS 279 Abusing the Samsung Galaxy 281 Attacking JavaScript 283 Attacking Encryption in JavaScript 283 JavaScript and Heap Exploitation 286 Getting Shells using Metasploit 293 Getting Started with Metasploit 294 Choosing the Exploit 295 Executing a Single Exploit 296 Using Browser Autopwn 300 Using BeEF with Metasploit 302 Summary 305 Questions 305 Notes 306 Chapter 7 Attacking Extensions 311 Understanding Extension Anatomy 312 How Extensions Differ from Plugins 312 How Extensions Differ from Add-ons 313 Exploring Privileges 313 Understanding Firefox Extensions 314 Understanding Chrome Extensions 321 Discussing Internet Explorer Extensions 330 Fingerprinting Extensions 331 Fingerprinting using HTTP Headers 3…

#	Onlineshop	Preis CHF	Versand CHF	Total CHF
1	Seller	0.00	0.00	0.00