[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Traversing the Web (the javascript way)

To: full-disclosure@xxxxxxxxxxxxxxxxx, websecurity@xxxxxxxxxxxxx
Subject: [Full-disclosure] Traversing the Web (the javascript way)
From: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>
Date: Tue, 10 Oct 2006 14:59:55 +0800

http://www.gnucitizen.org/blog/traversing-the-web/

The paper that explains the nature of the JavaScript SPIDER can be
found at the location above. In this article I am take the concept of
request proxies further by showing how attackers can use them to write
JavaScript code that can bypass the same origin restriction. You might
be a bit confused with the point of this exercise. I agree that there
are quite a lot of tutorials and frameworks that go into depth of this
subject, however I am the implementation here is a bit different.

This technique together with Google AJAX Search API can be used by
JavaScript based worms to propagate outside of the current domain.

If you have any ideas of how to improve this technique or how to
prevent it from happening, don't hesitate to leave a comment.

-- 
pdp (architect)
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] MHL-2006-001 Public Advisory: "Eazy Cart" Multiple Security Issues
Next by Date: Re: [Full-disclosure] Kmail <= 1.9.1 (latest) DOS
Previous by thread: [Full-disclosure] MHL-2006-001 Public Advisory: "Eazy Cart" Multiple Security Issues
Next by thread: [Full-disclosure] [USN-361-1] Mozilla vulnerabilities
Index(es):
- Date
- Thread