BKXSSATK.RVW 20080308 "XSS Attacks", Jeremiah Grossman et al, 2007, 978-1-59749-154-9, U$59.95 %A Jeremiah Grossman %A Robert Hansen RSnake ha.ckers.org %A Petko D. Petkov gnucitizen.org %A Anton Rager %A Seth Fogie %C 800 Hingham Street, Rockland, MA 02370 %D 2007 %G 978-1-59749-154-9 1-59749-154-3 %I Syngress Media, Inc. %O U$59.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597491543/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597491543/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597491543/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 448 p. %T "XSS Attacks: Cross Site Scripting Exploits and Defense" Chapter one traces cross-site scripting (XSS) back to early iframe security problems, David Rice's 1999 "Script Injection" paper, and ensuing discussion; bemoans the confusion surrounding the range of technologies and exploits linked to this term; and then seems to say that the topic is a risk associated with JavaScript applets and particularly the XMLHttpRequest object. In all of this, XSS does not get delineated in any definitive manner. A number of utilities for probing Websites and Web interactions are briefly described in chapter two. Despite the title, chapter three does not provide an explanation of "XSS Theory," but simply lists examples of XSS attack code. There is little explanation or analysis of the processes involved, and any content is specific to the particular commands used, rather than XSS concepts. The same emphasis on code is true in chapter four (even more so: the code sections are much longer), and in five and six as well. Thus, four chapters are simply one long list of code samples and snippets, with little tutorial value other than to provide specimens for script-kiddies to copy. Chapter seven discusses exploit frameworks that can be used to automate attacks and tests against the browser. XSS attacks that can reproduce or multiply effects are examined in chapter eight. Protection and defence is purported to be covered in chapter nine, but the material is terse and weak. In relation to the page count, the content of the book has slight value in terms of teaching what cross-site scripting attacks (as opposed to other forms of malware) are, and how to protect against them. copyright Robert M. Slade, 2008 BKXSSATK.RVW 20080308