Javascript Spider
published: October 6th, 2006
During the last couple of days I have been testing several attack vectors to circumvent the browser security sandbox also known as “the same origin policy”. There is a lot involved into this subject and I will present my notes very soon.
As you can see, publicly available anonymizing proxies can be used to fetch remote pages. This technique will work quite successfully on Internet resources but not on Intranet. The reason for this is obvious.
The requests made are anonymous since they are proxied. This may emplify or reduce the risk depending on the situation. However an anonymous self-propagating worm can be definitely possible.
GNUCITIZEN is one of the most influential organizations of its kind, reaching thousands of users every day and having a strong relationship with numerous printed and web-based media outlets. Part of our mission is to let others succeed the same way GNUCITIZEN did. Therefore, if you have a research or an interesting information you would like to share, 
comments
This is neat :)
Would like to get some more details on its implementation
-
Anush
I don’t think you know what “attack vector” means. Using a publicly-accessible anonymous proxy is hardly a security concern - especially considering that none of the user’s personal information is passed along.
Honestly, the only thing that you “discovered” (and that was just something you noticed, as the world has passed you by) is that publicly-accessible anonymous proxies can be used for “bad” things.
Hi John, I appreciate your comment but what I see from your blog is that you are not a security expert. That is the reason why I believe that you are more experienced in JavaScript programming than me and I am more experienced in security than you.
If you believe that JavaScript related attacks exploit client side technologies only, than probably you are still leaving in 2005. I welcome you to go through my blog as well as other blogs here and here.
As far as what attack vector is… well, I am not claiming that my English is perfect but if we google for the word vector you will see that there are mainly two types of definitions: one related to biology and one related to mathematics. Check these two samples:
It is more than obvious what attack vector is.
You are also saying:
You are right for one thing. Publicly accessible proxies can be used for bad things and that’s nothing new. However, who has done it in the past with JavaScript? I couldn’t find anything like this on the web and to me and the whole world it is a new thing and it is an attack VECTOR since none is protected against it.
A couple of weeks ago people were claiming that JavaScript worms that traverse the WEB are impossible because of the same origin policies implemented in all modern browsers. Well, here is a workaround which apparently you don�t like for some unknown reason.
John, I am very interested to see your opinion on this respond. I personally don’t have time to explain what JavaScript can be used for, so that’s why I encourage you to check some of my articles first and than post whatever you want to say. Many thanks.
Hi Anush,
Yes, I will go into details in my next post. Thanks for asking.
wat a stupid code , i dont think its useful in any way by gettin a anoymous proxy wat the heck u r tryin to do .. u seems a pretty overconfident starter in security. and everybody know anoymous proxy can be used to do lots of stuff lots of tool already there wat r u tryin to do
san, I admit that the code is quite bad but it was hacked in 30 minutes. What do you expect? What I am trying to do can be appreciated by those who understand the subject.
However, I think that the community will be quite interested in your solution if you manage to do what I am trying to do without using the technique I have already discussed. :)
I am not overconfident. Do I sound overconfident? I am sorry if this is the impression you are getting.
Wow .. such hatred.
John, you apparently didn’t understand the post at all. He’s not claiming that those using proxies are at greater risk, or that their personal information can be disclosed by it. It has nothing to do with proxy users.
It’s saying that by using certain public proxies you can work around the javascript’s same origin policies. If you bothered reading his previous blog posts about Google Search API Worms, you’d understand. Another tool in the arsenal, alongside google and yahoo’s APIs
This may help you comprehend the security restrictions of javascript: http://www.windowsitlibrary.co...../22/1.html
-maluc
Your spider example is broken. For some reason Proxydrop.com filters out all javascript. You should take another proxy.
Cheers, Bas
I noticed that long time ago. Thanks for the comment though. I will fix it as soon as I have some free time. Thanks.
Exactly what I was looking for. I found an XSS at a different site , and needed a way to retrieve another page on the same site , parse it and extract sensitive data from it. (Yeah , I could steal the cookie and use it later, but I am doing a POC for the vendor, an so , need to make it more dramatic)
I aint no JS expert, so thanks for the code :-)
I don’t think that the code will help you much but I guess you know what you are doing :)