Contents

Introduction

Chapter 1   Web Browser Security

A Principal Principle

Exploring the Browser

Symbiosis with the Web Application

Same Origin Policy

HTTP Headers

Markup Languages

Cascading Style Sheets

Scripting

Document Object Model

Rendering Engines

Geolocation

Web Storage

Cross-origin Resource Sharing

HTML5

Vulnerabilities

Evolutionary Pressures

HTTP Headers

Reflected XSS Filtering

Sandboxing

Anti-phishing and Anti-malware

Mixed Content

Core Security Problems

Attack Surface

Surrendering Control

TCP Protocol Control

Encrypted Communication

Same Origin Policy

Fallacies

Browser Hacking Methodology

Summary

Questions

Notes

Chapter 2   Initiating Control

Understanding Control Initiation

Control Initiation Techniques

Using Cross-site Scripting Attacks

Using Compromised Web Applications

Using Advertising Networks

Using Social Engineering Attacks

Using Man-in-the-Middle Attacks

Summary

Questions

Notes

Chapter 3   Retaining Control

Understanding Control Retention

Exploring Communication Techniques

Using XMLHttpRequest Polling

Using Cross-origin Resource Sharing

Using WebSocket Communication

Using Messaging Communication

Using DNS Tunnel Communication

Exploring Persistence Techniques

Using IFrames

Using Browser Events

Using Pop-Under Windows

Using Man-in-the-Browser Attacks

Evading Detection

Evasion using Encoding

Evasion using Obfuscation

Summary

Questions

Notes

Chapter 4   Bypassing the Same Origin Policy

Understanding the Same Origin Policy

Understanding the SOP with the DOM

Understanding ...

Get The Browser Hacker's Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial