| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 6 Oct 2006 17:43:23 +0800 From: "pdp (architect)" <pdp.gnucitizen@...glemail.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, webappsec@...urityfocus.com, websecurity@...appsec.org, pen-test@...urityfocus.com Subject: JavaScript Spider (code that can traverse the web) http://www.gnucitizen.org/projects/javascript-spider/ During the last couple of days I have been testing several attack vectors to circumvent the browser security sandbox also known as the same origin policy. There is a lot involved into this subject and I will present my notes very soon. The JavaScript Spider is the first implementation of a proof of concept tool which shows that Javascript can be in fact quite dangerous. This implementation depends on proxydrop.com but other proxies are possible as well: Google Translate is one of them. Keep in mind that the tool spiders only the first level. The tool is located here: http://www.gnucitizen.org/projects/javascript-spider/launch.htm As you can see publicly available anonymizing proxies can be used to fetch remote pages. This technique will work quite successfully on Internet resources but not on Intranet. The reason for this is quite obvious. Suggestions and comments are greatly appreciated. -- pdp (architect) http://www.gnucitizen.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists