Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [WEB SECURITY] JavaScript Spider (code that can traverse the web)



> -----Original Message-----
> From: pdp (architect) [mailto:pdp.gnucitizen@xxxxxxxxxxxxxx] 
> Sent: Friday, October 06, 2006 1:43 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; 
> bugtraq@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx; 
> websecurity@xxxxxxxxxxxxx; pen-test@xxxxxxxxxxxxxxxxx
> Subject: [WEB SECURITY] JavaScript Spider (code that can 
> traverse the web)
> 
> http://www.gnucitizen.org/projects/javascript-spider/
> 
> During the last couple of days I have been testing several attack
> vectors to circumvent the browser security sandbox also known as the
> same origin policy. There is a lot involved into this subject and I
> will present my notes very soon.
> 
> The JavaScript Spider is the first implementation of a proof of
> concept tool which shows that Javascript can be in fact quite
> dangerous. This implementation depends on proxydrop.com but other
> proxies are possible as well: Google Translate is one of them. Keep in
> mind that the tool spiders only the first level.
> 
> The tool is located here:
> http://www.gnucitizen.org/projects/javascript-spider/launch.htm
> 
> As you can see publicly available anonymizing proxies can be used to
> fetch remote pages. This technique will work quite successfully on
> Internet resources but not on Intranet. The reason for this is quite
> obvious.
> 
> Suggestions and comments are greatly appreciated.
> 
> -- 
> pdp (architect)
> http://www.gnucitizen.org
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 



 




Copyright © Lexa Software, 1996-2009.