[security-alerts] FW: [WEB SECURITY] JavaScript Spider (code that can traverse the web)

["Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>]

> -----Original Message-----
> From: pdp (architect) [mailto:pdp.gnucitizen@xxxxxxxxxxxxxx] 
> Sent: Friday, October 06, 2006 1:43 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx; 
> websecurity@xxxxxxxxxxxxx; pen-test@xxxxxxxxxxxxxxxxx
> Subject: [WEB SECURITY] JavaScript Spider (code that can 
> traverse the web)
> 
> http://www.gnucitizen.org/projects/javascript-spider/
> 
> During the last couple of days I have been testing several attack
> vectors to circumvent the browser security sandbox also known as the
> same origin policy. There is a lot involved into this subject and I
> will present my notes very soon.
> 
> The JavaScript Spider is the first implementation of a proof of
> concept tool which shows that Javascript can be in fact quite
> dangerous. This implementation depends on proxydrop.com but other
> proxies are possible as well: Google Translate is one of them. Keep in
> mind that the tool spiders only the first level.
> 
> The tool is located here:
> http://www.gnucitizen.org/projects/javascript-spider/launch.htm
> 
> As you can see publicly available anonymizing proxies can be used to
> fetch remote pages. This technique will work quite successfully on
> Internet resources but not on Intranet. The reason for this is quite
> obvious.
> 
> Suggestions and comments are greatly appreciated.
> 
> -- 
> pdp (architect)
> http://www.gnucitizen.org
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
>