The latest edition in the “Hacker’s Handbook” series from Wiley, this is perhaps the first book to look at exploiting the weaknesses of web browsers from the point of view of the attacker. Web browsers have become a more common sight, thanks to smartphones and tablets, so this book is especially timely for people working with web applications.
The book comprises ten chapters. The first chapter introduces the different aspects of the browser and the browsing experience that are susceptible to attacks. It then describes a methodology that the authors have devised to help organize any efforts in browser hacking by security teams. The remaining chapters in the book are presented based on this methodology.
The methodology has three principal steps. The first is to get control of the browser; the second is to retain this control; and the third is to take advantage of this to initiate attacks on the browser itself and possibly on remote systems as well. Accordingly, the second, third, and fourth chapters are respectively dedicated to these three steps. The remaining chapters cover different kinds of attacks, grouping them by a certain aspect of the browsing experience that is exploited (users, browsers, extensions, plug-ins, web applications, and networks).
Each chapter is rich in information and code samples to demonstrate the different techniques that it covers. Just as in The web application hacker’s handbook [1], each chapter ends with a set of questions for the reader. These are based on the material just covered and answers are provided on the companion site. A comprehensive set of references rounds off every chapter.
This is undeniably a very ambitious book both in scope and in size. As is made clear in the introduction, this book will serve as a useful reference, not only for security professionals, but also for web application developers who are interested in augmenting their understanding of web application security, especially for web browsers. The authors are clearly well informed and passionate about the subject and this passion prevents the book from being a stuffy text on the complex topic of security. Despite the introduction’s claims to the contrary, readers familiar with some aspects of networking, security, web application architecture, and programming (especially in JavaScript and Java, which dominate the code samples) will have an easier time with this book. Other readers may find the book daunting and at times inaccessible.
All three principal authors are associated with The Browser Exploitation Framework (BeEF). One is the creator of BeEF and another is the lead core developer on the project. It is also the most frequently cited tool in the book (the next being Metasploit). Although a page or two is devoted to downloading and installing Metasploit, there is nothing similar for BeEF. Although screen shots offer hints about the main page for the project, where presumably one could find more information, the omission of instructions on getting set up with BeEF is puzzling.
The desire to cover a lot of ground works against the book on several occasions. Some chapters feel more crammed with information than others, and a few chapters even give you the sense that the authors are rushing to the next technique or concept without doing enough justice to the one they just introduced. Subsequent chapters also begin to feature more terms that lack explanation and demand an audience more familiar with the subject.
The chapters are written informally with occasional doses of humor and hyperbole. This tone does not work well consistently and some sections, especially in the later chapters, suffer from a tendency to sound dramatic. The later chapters also feature an increased use of successive nouns, which might work well for business writing, but does not serve a technical work of this kind well. These factors made some of these chapters hard to read.
All of this does little to diminish the value of the book as a reference for the subject. It may have fared better as a guide with an additional editorial pass to make the tone and pace more consistent. Given that security is such a hard problem and that new vulnerabilities, and techniques to exploit them, appear almost every day, it is not unreasonable to expect a second edition of this book with revised material. One hopes that the second edition will address these inconsistencies and become more useful as a guide and a reference.
More reviews about this item: Amazon
