However, this attack remains one of my favorites against hotspots. It’s easy, passive and works like a charm.

As long as Robert doesn’t claim is new or WEB 2.0 related, I don’t see a problem with this research.

My wife was amazed when I tested this against her gmail account. This means that although most people in the security community know about this attack, most average users don’t. And remember, there is NO idle session time out on Gmail. And who clicks on logout? Only geeks do :D

Anyway, I see what you are saying. I completely agree with you that the JavaScript spider was rehashed version of Jikto and yes Jikto is pretty much the proxy POC I published last year but this is not what my talk and the work on GNUCITIZEN is all about. It is about agents. It is about autonomous robots that live on the surface of the web.

Let’s face it, what’s the point of discovering vulnerabilities on the fly? I mean what’s the point of having XSS scanner written in JavaScript? It makes no difference at all. It is slow, sloppy and highly ineffective. So why?

Let’s forget about it. If you combine several key components of the so called Web2.0 we can really come up with something nasty and something probably worth our attention. This thing will be based primary on services which we cannot easily shutdown and will have recovery processes to ensure preservation. And the POCs (the JavaScript spider and XSS scanner) are just demonstration of certain features that possibly will be included to one degree or another. What if I tell you that JavaScript can receive as well send emails. It starts to get interesting, right? What if the attacker have several agents spread across the web which he/she can control via distributed broadcast messages. Now we completely change the game. Where is the head of the worm? There isn’t any. How do I stop this? You can’t!

I hope that with my next presentation it will get a lot clearer what I mean. I am sure that I can convince you in what I believe and show you the value of the research if we talk in person. However, the truth is that we have to deal with virtual boundaries and it is completely my fault for not having the message out as clear as possible today.

Your JavaScript Spider is just another take on Jikto which was just another take on your own earlier research. Any service which will “launder” http requests for you enables partial violation of same origin. Big deal. The fact that new services (pipes, etc) are now out there that make it easier isn’t anything new – much like sniffing cookies over wifi isn’t new. So while I agree that perhaps “Web2.0″ is a misnomer for Graham’s work, you have also been rehashing the same old thing for quite some time.

Yahoo Pipes will now send a post for you! So, who really cares? Anyone can create a similar service with a very cheap webhost account. You could probably do it with netcat and bash. It does not equate to “MAGE POWERFUL”.

Web 8.0 Mashup Hacking with Yahoo Tubes. WTF?

well, yes. Yahoo Pipes is a Web2.0 technology so I don’t see any problems with using Web2.0 terminology. Moreover, the pipes interface proves one thing: I can spider Web Applications in search for vulnerabilities circumventing to an extend the same origin policies. That wasn’t possible before. There is more to that but you will hear about it soon. So yes, it is new and yes it is Web2.0. So, what exactly is your point, Galeazzi?

The technical stuff are still on the blog but I have to agree with you that there was sort of a dry period lately. The reason for this is mainly because I was involved into two huge projects, the XSS Book and the Google Hacking for Penteasters vol2 book. However, there is a lot in the background going on that you cannot see. :) So, stay tuned.

It just goes to show that this industry is like any other, give it 10 years and the topic will come back into fashion, like flared pants :)

In any case, you (and just about anyone else who’s blogged about Graham’s presentation) are completely correct: it’s not a Web 2.0 problem. People should knock off the “OMG Web 2.0 is broken…again!” nonsense.