Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] JavaScript Spider (code that can traverse the web)

from [pdp (architect)] Network Security [Permanent Link]
Subject: [Full-disclosure] JavaScript Spider (code that can traverse the web)
Date: Fri, 6 Oct 2006 17:43:23 +0800 
http://www.gnucitizen.org/projects/javascript-spider/

During the last couple of days I have been testing several attack
vectors to circumvent the browser security sandbox also known as the
same origin policy. There is a lot involved into this subject and I
will present my notes very soon.

The JavaScript Spider is the first implementation of a proof of
concept tool which shows that Javascript can be in fact quite
dangerous. This implementation depends on proxydrop.com but other
proxies are possible as well: Google Translate is one of them. Keep in
mind that the tool spiders only the first level.

The tool is located here:
http://www.gnucitizen.org/projects/javascript-spider/launch.htm

As you can see publicly available anonymizing proxies can be used to
fetch remote pages. This technique will work quite successfully on
Internet resources but not on Intranet. The reason for this is quite
obvious.

Suggestions and comments are greatly appreciated.

-- 
pdp (architect)
http://www.gnucitizen.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] JavaScript Spider (code that can traverse the web), pdp (architect) <=
Previous by Date:  RE: [WEB SECURITY] Re: SQL In the Request, Nish Bhalla
Next by Date:  [Full-disclosure] HITBSecConf2006 CTF Source code and daemons, Praburaajan
Previous by Thread:  RE: [WEB SECURITY] Re: SQL In the Request, Ory Segal
Next by Thread:  [Full-disclosure] HITBSecConf2006 CTF Source code and daemons, Praburaajan
Indexes:  [Date] [Thread] [Top] [All Lists]