Comments on: Javascript Spider

By: Anthony Alexander

Anthony Alexander — Wed, 04 Jan 2012 21:47:17 +0000

John Resig is a prick. That is why I don’t use Jquery.

By: Traversing the Web | GNUCITIZEN

Traversing the Web | GNUCITIZEN — Fri, 02 Jan 2009 10:51:02 +0000

[...] The example provided above is not generic. In fact it is a bit bulky and can be definitely improved. The reason why I used this technique is because there is a proof of concept tool that makes use of it. The tool is called JavaScript SPIDER and it can be found here. [...]

By: Maluc on JavaScript Worms | GNUCITIZEN

Maluc on JavaScript Worms | GNUCITIZEN — Fri, 02 Jan 2009 09:54:04 +0000

[...] the JavaScript SPIDER here. Than John Resig, a developer with some cool AJAX projects on his belt claimed that this is not a problem at all, misunderstanding the subject. Than maluc, backed me up with this [...]

By: Why crawling doesn’t matter | tssci security

Why crawling doesn’t matter | tssci security — Sun, 02 Dec 2007 23:07:20 +0000

[...] of the most impressive spider related hacks I’ve seen is the Javascript-spider work that pdp put together on his blog. Strangely, John Resig (author of jQuery), thought this was [...]

By: pdp

pdp — Tue, 24 Jul 2007 16:46:41 +0000

I don’t think that the code will help you much but I guess you know what you are doing :)

By: Sudeep

Sudeep — Tue, 24 Jul 2007 10:48:45 +0000

Exactly what I was looking for. I found an XSS at a different site , and needed a way to retrieve another page on the same site , parse it and extract sensitive data from it. (Yeah , I could steal the cookie and use it later, but I am doing a POC for the vendor, an so , need to make it more dramatic)
I aint no JS expert, so thanks for the code :-)

By: Yahoo Site Explorer Spider | GNUCITIZEN

Yahoo Site Explorer Spider | GNUCITIZEN — Wed, 18 Jul 2007 12:12:29 +0000

[...] this page. I’ve being talking about client-side spiders for quite some time now over here and here and I even came up with POC based on Yahoo Pipes for my OWASP presentation on Advanced Web Hacking [...]

By: pdp

pdp — Tue, 23 Jan 2007 21:03:54 +0000

I noticed that long time ago. Thanks for the comment though. I will fix it as soon as I have some free time. Thanks.

By: Bas Wenneker

Bas Wenneker — Tue, 23 Jan 2007 19:57:38 +0000

Your spider example is broken. For some reason Proxydrop.com filters out all javascript. You should take another proxy.

Cheers, Bas

By: GNUCITIZEN » Automated XSS Detection

GNUCITIZEN » Automated XSS Detection — Mon, 06 Nov 2006 01:42:51 +0000

[...] Solving obstacle one is hard. How can we know what input channels an application may posses? There might be some forms, but we don’t know about them. We can brute force names but that is slow and kind of lame. The simplest thing I come up with is to proxy the page through Google Translate and get the content by using the technique implemented in the JavaScript SPIDER proof of concept tool. Although it is slow and far from perfect, you must agree that it is a possible vector that can be employed. That’s not all. [...]

By: GNUCITIZEN » Maluc on JavaScript Worms

GNUCITIZEN » Maluc on JavaScript Worms — Tue, 10 Oct 2006 01:51:19 +0000

[...] October 10th, 2006 This is the story so far: A couple of days ago I published the JavaScript SPIDER here. Than John Resig, a developer with some cool AJAX projects on his belt claimed that this is not a problem at all, missunderstanding the subject. Than maluc, backed me up with this comment. Today I followed John’s blog and I found maluc’s personal respond on the matter. I really like the summary that he made, so I decided to put it on this site. These are his words: To remove the personal bit from his respond I replaced each “you” with “developers”. [...]

By: maluc

maluc — Mon, 09 Oct 2006 21:53:41 +0000

Wow .. such hatred.

Using a publicly-accessible anonymous proxy is hardly a security concern – especially considering that none of the user’s personal information is passed along.

John, you apparently didn’t understand the post at all. He’s not claiming that those using proxies are at greater risk, or that their personal information can be disclosed by it. It has nothing to do with proxy users.

It’s saying that by using certain public proxies you can work around the javascript’s same origin policies. If you bothered reading his previous blog posts about Google Search API Worms, you’d understand. Another tool in the arsenal, alongside google and yahoo’s APIs

This may help you comprehend the security restrictions of javascript: http://www.windowsitlibrary.co...../22/1.html

-maluc

By: pdp

pdp — Mon, 09 Oct 2006 09:44:11 +0000

san, I admit that the code is quite bad but it was hacked in 30 minutes. What do you expect? What I am trying to do can be appreciated by those who understand the subject.

However, I think that the community will be quite interested in your solution if you manage to do what I am trying to do without using the technique I have already discussed. :)

I am not overconfident. Do I sound overconfident? I am sorry if this is the impression you are getting.

By: san

san — Mon, 09 Oct 2006 09:27:38 +0000

wat a stupid code , i dont think its useful in any way by gettin a anoymous proxy wat the heck u r tryin to do .. u seems a pretty overconfident starter in security. and everybody know anoymous proxy can be used to do lots of stuff lots of tool already there wat r u tryin to do

By: pdp

pdp — Mon, 09 Oct 2006 02:13:12 +0000

Hi Anush,

Yes, I will go into details in my next post. Thanks for asking.

By: pdp

pdp — Mon, 09 Oct 2006 01:51:00 +0000

Hi John, I appreciate your comment but from what I can see from your blog, you are not a dealing with security at all. That is the reason why I believe that you are more experienced in JavaScript programming than me and I am more experienced in security than you. As far as what attack vector is... well, I am not claiming that my English is perfect but if we google for the word vector you will see that there are mainly two types of definitions: one related to biology and one related to mathematics. Check these two samples:

carrier of an infectious agent; capable of transmitting infection from one host to another; especially the animal that transfers an infectious agent from one host to another, usually an arthropod. life.umd.edu

A vector is a number (a magnitude) together with a direction (compare with scalar). A vector can be represented by an arrow whose length represents the magnitude and the direction represents the direction. enchantedlearning.com

It is more than obvious what attack vector is. You are also saying:

Honestly, the only thing that you 'discovered' (and that was just something you noticed, as the world has passed you by) is that publicly-accessible anonymous proxies can be used for "bad" things.

You are right for one thing. Publicly accessible proxies can be used for bad things and that's nothing new. However, who has done it in the past with JavaScript? I couldn't find anything like this on the web and to me it is a new thing. John, I am very interested to see your opinion on this respond. Many thanks.

By: John Resig

John Resig — Sat, 07 Oct 2006 17:54:27 +0000

I don’t think you know what “attack vector” means. Using a publicly-accessible anonymous proxy is hardly a security concern – especially considering that none of the user’s personal information is passed along.

Honestly, the only thing that you “discovered” (and that was just something you noticed, as the world has passed you by) is that publicly-accessible anonymous proxies can be used for “bad” things.

By: Depressive Developer » Google, viel XML und das Ende des Abendlandes

Depressive Developer » Google, viel XML und das Ende des Abendlandes — Fri, 06 Oct 2006 20:41:50 +0000

[...] Eine ganze Menge JavaScript ist hingegen bei Gnucitizen’s JavaScript-Spider involviert. Mit diesem Tool ist es m?glich, v?llig anonym ?ber einen Proxy nach Wahl Seiten zu spidern. Wer sich also mal schnell einen Crawler zusammenbauen m?chte, um bei Google nach Foren bestimmten Typs oder ?hnlich unartigen Dingen zu suchen, hat nun die Gelegenheit, dies mit ein Paar Klicks zu tun. Mit solchen M?glichkeiten an der Hand bleibt es wahrscheinlich auch nur eine Frage der Zeit, bis die ersten Skripte ‘in the wild’ sind, mit denen man ebenso anonym XSS und GET-Exploits automatisiert einschleusen kann. Gruselig. [...]

By: Anush Shetty

Anush Shetty — Fri, 06 Oct 2006 17:30:22 +0000

This is neat :)

Would like to get some more details on its implementation

-
Anush