Автор: Gareth Heyes
Издательство: Leanpub
Год: 2024-01-25
Язык: английский
Формат: pdf (true), mobi, epub
Размер: 10.1 MB
Learn how to find interesting behaviour and flaws in jаvascript. Reading this book you will find the latest and greatest techniques for hacking jаvascript and generating XSS payloads. Includes ways to construct jаvascript using only +[]()! characters. Never heard of DOM Clobbering? This book has all the details.
Have you ever wondered how a hacker approaches finding flaws in the browser and jаvascript? This book shares the thought processes and gives you tools to find your own flaws. It shares the basics of jаvascript hacking, then dives in and explains how to construct jаvascript payloads that don't use parentheses.
Once you’ve got your chosen environment set up the next step is to set a goal. If you have no goal you can be staring at a blank page not getting anywhere. A goal enables you to make sure you’re always trying something and it can be flexible too. For instance one of my goals was “execute jаvascript without parentheses”. If you’ve set a good goal it will almost likely never end and good ones also mutate into another goal for example the goal I mentioned earlier mutated into “execute jаvascript functions without parentheses and pass arguments”. Now you can see how these two goals are useful because now you have a clear idea what you have to do and you can abuse jаvascript features to achieve that goal. In the example above the second goal is more challenging than the first but the second goal enables you to gain knowledge to achieve the more difficult goal.
Fuzzing is one of the most important tools in a jаvascript hackers toolbox, it enables you to answer questions really fast and discover new things by getting the computer to report the results. Fuzzing is simply writing code that enumerates characters, code or data in order to find interesting behaviour. In binary exploitation you’d use a fuzzer to find DoS or an exploitable crash but when jаvascript hacking the idea is to achieve your goal by getting answers to questions. For example I set myself a goal to understand what characters are allowed as whitespace, you might be wondering to yourself why not simply look at the specification? You should not use the specification as your only source of information when trying to discover browser behaviour because browsers sometimes do not follow the specification, this can be because they make a mistake or simply choose not to for various reasons like backward compatibility.
Shows how you can find flaws with fuzzing and how to quickly fuzz millions of characters in seconds.
Want to hack the DOM? This book has you covered.
Read about various browser SOP bypasses that the author found in detail.
No idea about client-side prototype pollution? This is the book for you!
Want to learn the latest & greatest XSS techniques? You need to buy this book.
Contents:
Скачать jаvascript for hackers : Learn to think like a hacker (2024)