Why is he using Google Analytics for sending the XSS?

There are two options:

1) He is using Windows and is not using Burp or ZAP proxy for modifying http requests. With Windows you can't use <>"= in a filename.

2) Gmail is handling emails from Google Analytics a bit different. (I don't think so)

To get around http://en.m.wikipedia.org/wiki/Same-origin_policy

> "By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com"

I bought a copy. Nice book! The format of the book seems kinda odd thought. This is a screenshot from my iPad Mini with Readmill (eBook reader): https://dl.dropboxusercontent.com/u/947269/IMG_0053.PNG

Mmm interesting... would you mind trying in landscape mode?

Also, I think the best use of the book is to read it on a PC / Laptop and copy/paste to try the examples as you go :)

But, as always, your mileage may vary!

Good idea. There might be a number of rules that can limit their communication with the routers (and even OOB)

The best way is to start from the beginning, in other words read "Smashing the stack for fun and profit". These technics doesn't work on current operating systems but gives to a great start http://insecure.org/stf/smashstack.html

Better to link directly to the source ( http://phrack.org/issues.html?issue=49&id=14#article ). Phrack Magazine is a great piece of history of the underground. Even today reading some of the articles provides good insight. After all, the essence of the computers architecture has not changed in all these years.

Bootstrap 2.0 + WordPress = #win ? Anyone knows if there is any theme out there w/ Bootstrap?

I found two, but they are not worth mentioning. They just copy the graphic elements instead of using the CSS library. For a WP framework that uses a good CSS library, see xtreme-one (it uses YAML). This match (general CSS lib + wordpress theme) is great, I agree.

Maybe add or use http://listjs.com/ ?