The Browser Hacker's Handbook
Wade Alcorn, Christian Frichot, Michele Orru
Format: PDF / Kindle (mobi) / ePub
Hackers exploit browser vulnerabilities to attack deep within networks
The Browser Hacker's Handbook gives a practical understanding of hacking the everyday web browser and using it as a beachhead to launch further attacks deep into corporate networks. Written by a team of highly experienced computer security experts, the handbook provides hands-on tutorials exploring a range of current attack methods.
The web browser has become the most popular and widely used computer "program" in the world. As the gateway to the Internet, it is part of the storefront to any business that operates online, but it is also one of the most vulnerable entry points of any system. With attacks on the rise, companies are increasingly employing browser-hardening techniques to protect the unique vulnerabilities inherent in all currently used browsers. The Browser Hacker's Handbook thoroughly covers complex security issues and explores relevant topics such as:
- Bypassing the Same Origin Policy
- ARP spoofing, social engineering, and phishing to access browsers
- DNS tunneling, attacking web applications, and proxying—all from the browser
- Exploiting the browser and its ecosystem (plugins and extensions)
- Cross-origin attacks, including Inter-protocol Communication and Exploitation
The Browser Hacker's Handbook is written with a professional security engagement in mind. Leveraging browsers as pivot points into a target's network should form an integral component into any social engineering or red-team security assessment. This handbook provides a complete methodology to understand and structure your next browser penetration test.
with a button that required a user click in order to execute your attack. In this instance, your Clickjacking aim is to ensure your target’s mouse is always on top of that button. In this way, as soon as they click anywhere, the user is effectively clicking exactly where you want. Rich Lundeen and Brendan Coles created a BeEF command module implementing this very technique.31 In this scenario you have two frames, an inner and an outer IFrame. The outer IFrame loads the target origin you want to
is particularly the case with the second technique, where the timing is “hard-coded” to 10ms. For example, if you’re playing an HD video on YouTube while your machine is extensively using CPU and IO, the accuracy of the results may decrease. Using Browser APIs Avant is a lesser-known browser that can swap between the Trident, Gecko and WebKit rendering engines. Roberto Suggi Liverani discovered an attack for bypassing the SOP using specific browser API calls in the Avant browser prior to 2012