- Authors:
- Wade Alcorn,
- Christian Frichot,
- Michele Orru
Hackers exploit browser vulnerabilities to attack deep within networksThe Browser Hacker's Handbook gives a practical understanding of hacking the everyday web browser and using it as a beachhead to launch further attacks deep into corporate networks. Written by a team of highly experienced computer security experts, the handbook provides hands-on tutorials exploring a range of current attack methods. The web browser has become the most popular and widely used computer "program" in the world. As the gateway to the Internet, it is part of the storefront to any business that operates online, but it is also one of the most vulnerable entry points of any system. With attacks on the rise, companies are increasingly employing browser-hardening techniques to protect the unique vulnerabilities inherent in all currently used browsers. The Browser Hacker's Handbook thoroughly covers complex security issues and explores relevant topics such as: Bypassing the Same Origin Policy ARP spoofing, social engineering, and phishing to access browsers DNS tunneling, attacking web applications, and proxyingall from the browser Exploiting the browser and its ecosystem (plugins and extensions)Cross-origin attacks, including Inter-protocol Communication and Exploitation The Browser Hacker's Handbook is written with a professional security engagement in mind. Leveraging browsers as pivot points into a target's network should form an integral component into any social engineering or red-team security assessment. This handbook provides a complete methodology to understand and structure your next browser penetration test.
Cited By
Likaj X, Khodayari S and Pellegrino G Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses, (370-385)- Reiter A and Marsalek A WebRTC Proceedings of the Symposium on Applied Computing, (664-669)
- Silva P, Monge R and Fernandez E A reference architecture for web browsers Proceedings of the 24th Conference on Pattern Languages of Programs, (1-10)
Index Terms
- The Browser Hacker's Handbook
Recommendations
Reviews
George Thomas
The latest edition in the “Hacker's Handbook” series from Wiley, this is perhaps the first book to look at exploiting the weaknesses of web browsers from the point of view of the attacker. Web browsers have become a more common sight, thanks to smartphones and tablets, so this book is especially timely for people working with web applications. The book comprises ten chapters. The first chapter introduces the different aspects of the browser and the browsing experience that are susceptible to attacks. It then describes a methodology that the authors have devised to help organize any efforts in browser hacking by security teams. The remaining chapters in the book are presented based on this methodology. The methodology has three principal steps. The first is to get control of the browser; the second is to retain this control; and the third is to take advantage of this to initiate attacks on the browser itself and possibly on remote systems as well. Accordingly, the second, third, and fourth chapters are respectively dedicated to these three steps. The remaining chapters cover different kinds of attacks, grouping them by a certain aspect of the browsing experience that is exploited (users, browsers, extensions, plug-ins, web applications, and networks). Each chapter is rich in information and code samples to demonstrate the different techniques that it covers. Just as in The web application hacker's handbook [1], each chapter ends with a set of questions for the reader. These are based on the material just covered and answers are provided on the companion site. A comprehensive set of references rounds off every chapter. This is undeniably a very ambitious book both in scope and in size. As is made clear in the introduction, this book will serve as a useful reference, not only for security professionals, but also for web application developers who are interested in augmenting their understanding of web application security, especially for web browsers. The authors are clearly well informed and passionate about the subject and this passion prevents the book from being a stuffy text on the complex topic of security. Despite the introduction's claims to the contrary, readers familiar with some aspects of networking, security, web application architecture, and programming (especially in JavaScript and Java, which dominate the code samples) will have an easier time with this book. Other readers may find the book daunting and at times inaccessible. All three principal authors are associated with The Browser Exploitation Framework (BeEF). One is the creator of BeEF and another is the lead core developer on the project. It is also the most frequently cited tool in the book (the next being Metasploit). Although a page or two is devoted to downloading and installing Metasploit, there is nothing similar for BeEF. Although screen shots offer hints about the main page for the project, where presumably one could find more information, the omission of instructions on getting set up with BeEF is puzzling. The desire to cover a lot of ground works against the book on several occasions. Some chapters feel more crammed with information than others, and a few chapters even give you the sense that the authors are rushing to the next technique or concept without doing enough justice to the one they just introduced. Subsequent chapters also begin to feature more terms that lack explanation and demand an audience more familiar with the subject. The chapters are written informally with occasional doses of humor and hyperbole. This tone does not work well consistently and some sections, especially in the later chapters, suffer from a tendency to sound dramatic. The later chapters also feature an increased use of successive nouns, which might work well for business writing, but does not serve a technical work of this kind well. These factors made some of these chapters hard to read. All of this does little to diminish the value of the book as a reference for the subject. It may have fared better as a guide with an additional editorial pass to make the tone and pace more consistent. Given that security is such a hard problem and that new vulnerabilities, and techniques to exploit them, appear almost every day, it is not unreasonable to expect a second edition of this book with revised material. One hopes that the second edition will address these inconsistencies and become more useful as a guide and a reference. More reviews about this item: Amazon Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.