Errata
The errata list is a list of errors and their corrections that were found after the product was released.
The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.
Color Key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update
Version | Location | Description | Submitted by | Date submitted |
---|---|---|---|---|
Printed | Page -- -- |
For the next printing and edition, we recommend rephrasing the terms "master/slave," "blacklist/whitelist," and "black hat/white hat" to avoid an unintended negative impact on readers who find the terminology offensive. |
Katherine Tozer | Jun 15, 2020 |
Chapter 6 First paragraph after Figure 6-2 |
"Underscore and Lodash expose globals using the underscore symbol $" should read "Underscore and Lodash expose globals using the underscore symbol _" |
Martin Leeuwangh | Dec 14, 2020 | |
Chapter 4 Under heading 'Search Engine Caches', fourth and fifth paras and caption to fig 4-4 |
'--inurl:<pattern>' should read '-inurl:<pattern>' [i.e., there should be a single, rather than double, '-']. |
Martin Leeuwangh | Dec 14, 2020 | |
Chapter 4 Multiple locations |
Several times in chapter 4 the search engine “-“ operator (minus, as in “exclude”) is typed as “--“ as if it was the prefix to a command line argument. |
George Brocklehurst | Jul 09, 2021 | |
Chapter 4 “Accidental Archives” section |
The statement “a search for file:// might pull up a previously live download” is entirely false. |
George Brocklehurst | Jul 09, 2021 | |
Chapter 4 “Brute Forcing Subdomains” section |
The language in this section is imprecise in ways that are misleading. |
George Brocklehurst | Jul 09, 2021 | |
Other Digital Version | Telephone “Phreaking,” Circa 1950 11th paragraph |
"knowledge of weaknesses inherit in tone dialing systems" |
Dean Ganskop | Jul 08, 2022 |
Other Digital Version | Chapter 1; Anti-Phreaking Technology, Circa 1960 5th paragraph |
"The mechanics of DTMF tones are generated are pretty simple" |
Dean Ganskop | Jul 08, 2022 |
Other Digital Version | Chapter 2; Introduction to Web Application Reconnaissance 1st paragraph |
"patch them before a malicious actor find them" |
Dean Ganskop | Jul 08, 2022 |
Other Digital Version | Chapter 10. Cross-Site Scripting (XSS); DOM-Based XSS 15th paragraph |
"The document.write() call will result in the execution of this hash value.... This will display the current session cookies, ..." |
Dean Ganskop | Aug 14, 2022 |
Other Digital Version | Chapter 10. Cross-Site Scripting (XSS); DOM-Based XSS 2nd paragraph |
"The major difference between for DOM XSS and other forms of XSS" |
Dean Ganskop | Aug 15, 2022 |
1 Figure 3-6 |
Figure 3-6 is a screenshot of a browser’s JavaScript console session demonstrating the use of localStorage. |
George Brocklehurst | Jul 09, 2021 | |
Other Digital Version | 18. Secure Application Architecture, Secure Sockets Layer and Transport Layer Security 4th paragraph |
"TSL cannot interpolate with older versions of SSL..." |
Dean Ganskop | Aug 14, 2022 |
Other Digital Version | 23. Defending Against CSRF Attacks Anti-CRSF Coding Best Practices heading |
"Anti-CRSF Coding Best Practices" heading should be "Anti-CSRF Coding Best Practices" |
Dean Ganskop | Aug 31, 2022 |
Printed | Page 29 N/A |
He said that web sockets permit client-client communication. I'm skeptical that web sockets can provide *direct* client-client communication, especially if there is a NAT in the way. I feel like you would normally have two browsers connected to a server, so the server is really in the middle. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 33-34 Bottom of page #33 and top of page #34 |
In the bottom of page #33 it says: "JavaScript is now used in many applications, from mobile to the internet of things, or IoT." |
Luke Koziarski | Apr 08, 2021 |
Printed | Page 35 0/10 |
In the text "lacking an identifier", I think "identifier" is the wrong term. "const" is a keyword. An identifier is a variable name. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 90 6/10 |
It says "Underscore and Lodash expose globals using the underscore symbol $..." I do believe the symbol is `_`. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 101 The bare minimum of the IM app code |
There are 2 mistakes in the way the `send` function gets the data from html resulting `message` variable being always an empty string and `target` variable being always `undefined`. See the code below, I included original code from the book along with fixes. |
Luke Koziarski | Apr 11, 2021 |
Printed | Page 120 1/10 |
In order to use XHR to exfiltrate data to an attacker's server, the attacker's server needs to serve up the correct CORS headers or the browser won't allow it. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 123 9/10 |
It says, "A reflected XSS affects the code of the client in the browser directly without relying on a server to relay a message to be rendered with a script to be executed." |
JJ Behrens | Sep 24, 2022 |
Printed | Page 126 8/10 |
It says, "Because DOM XSS never touches a server, it is nearly impossible to detect with static analysis tools or any other type of popular scanner." I'm skeptical of this statement. Static analysis tools don't care if some other part of your codebase is or is not talking to the server. My point is that whether or not your code talks to a server is orthogonal. If the static analysis tool is wary of you using a sink with some dynamic data, it doesn't matter where you got that data. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 128 0/10 |
Your use of document.write() in this example doesn't make sense because it'd probably write to the wrong place on the page. Hence, this code could work in theory, but I've never seen it work like this in practice. In practice, you'd use someNode.innerHTML. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 134 N/A |
The text is skipping over the need for proper CORS headers when using an XHR to talk to a site other than the origin server. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 137 5/10 |
If you POST a form in order to do a CSRF attack, that doesn't require user interaction. You can use JavaScript to submit the form. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 142 8/10 |
The text suggests that HTML is a subset of XML. That may have been true for XHTML, but it's certainly not true with HTML5. There are several features in HTML5 that when used cause the content to not be valid XML. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 143 6/10 |
There is a call to alert() that is missing double quotes around the string. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 147 9/10 |
It says "An SQL string is escaped in an HTTP payload..." This needs to be reworded because it confusing and misleading. It's not about the fact that it's escaped in an HTTP payload. I mean, the user could have just typed it into a simple form field. Rather, the user used some unexpected characters that break the SQL string that the developer was creating. For instance, the user could use: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 150 8/10 |
It talks about the 1=1 trick. However, let's suppose the query is: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 150 9/10 |
There's a query: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 151 9/10 |
There are many places in the book that use the term CLI in ways that I think are not appropriate. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 153 3/10 |
In the code `const res = await compressImage()`, you're overwriting the res variable that was originally set in `function(req, res)` on p. 152.9. This would prevent the later code, `return res.status(200)` from executing correctly. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 153 153.4 |
I think you're using the wrong path to the image in the code. The image is actually in the /compressed/ directory. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 154 7/10 |
It says: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 155 9/10 |
It says, "rather than performing unintended actions against a CLI or interpreter, we are performing unintended actions against an OS." |
JJ Behrens | Sep 24, 2022 |
Printed | Page 158 6/10 |
It says: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 195 9/10 |
"Cannot interplate" should be "cannot interoperate". |
JJ Behrens | Sep 24, 2022 |
Printed | Page 197 9/10 |
You wrote "264 bits of data". I think you mean "256 bits of data". |
JJ Behrens | Sep 24, 2022 |
Printed | Page 201 3/10 |
You said that "2FA eliminates remote logins to your web applications that were not initiated by the owner of the account." I'd say it helps, but it doesn't fully eliminate this problem. There's still the attack where you convince the user to log into a copycat site. The copycat site can ask for the user's password as well as 2FA and then use those to log into the real site. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 213 8/10 |
This stuff doesn't make sense: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 220 4/10 |
Just because you've switched from GET to POST doesn't mean you've alleviated CSRF. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 236 7/10 |
This code doesn't make sense. 'hi' is a string. But, running JSON.parse('hi') would raise an exception. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 237 8/10 |
It says: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 238 3/10 |
It says: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 239 9/10 |
The text suggests that merely embedding a script tag in a URL will cause the script tag to execute when you load the URL. I didn't think that would work, and in fact, in my testing, it doesn't. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 248 6/10 |
It says: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 252 6/10 |
You wrote: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 253 8/10 |
You wrote: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 256 7/10 |
It says that schema validation is not supported with JSON. However, there are tools and libraries to validate JSON. See JSON Schema. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 257 2/10 |
It says: |
JJ Behrens | Sep 24, 2022 |
Printed | Page 262 N/A |
I'm skeptical of this approach to handling SQL injection. However, it's not spelled out in enough detail for me to fully know for sure. Also, the select quote thing on p. 263 doesn't make sense. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 277 1/10 |
There's a blob of text at the top of the page that has a bunch of arrows. I think it was supposed to be a table. However, since it lost its formatting, it no longer makes sense. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 278 1/10 |
It talks about running third-party integrations on separate servers. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 284 0/10 |
It talks about sockets when it should really talk about WebSockets. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 287 5/10 |
The text implies that PDF is an XML format. Although PDFs can be converted to XML, PDFs themselves are not XML. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 287 8/10 |
It talks about protecting against injection attacks against CLIs. |
JJ Behrens | Sep 24, 2022 |
Printed | Page 287 9/10 |
The text mentions "backtracing". I think you mean "backtracking". |
JJ Behrens | Sep 24, 2022 |