Here is a common problem. You have to write an web-based email, im, ssh, xmmp, SMB, etc. client which must connect to a server other then the originating one. What do you do then? Hint: You cannot use Java!
Well, due to the fact the the browser has no idea how to spawn a tcp socket, you are stuck in the proxy-land. Typically you will write an application that will do a lot of transcoding and state management. [...]
First of all I need to let you know that it is not within our practice to disclose vulnerabilities on specific online applications. However, given the fact that Pownce, the vendor, was responsibly informed and the fact that we believe that the issue is interesting enough to be discussed, we’ve decided to let you know about our findings. [...]
In order to perform browser based attacks, JavaScript is most definitely required with a number of restrictions of course. Flash 7 has the flexibility to perform cross domain requests without restrictions, however this is sort of fixed in Flash Player 8. Java applets are quite the same in that respect. In certain situations it might be possible to trick the browser into doing what ever you want, but this is a different story. [...]
SPI Dynamics released a paper on how to port scan and do other cool stuff with JavaScript. I found the paper quite interesting and I decided to make my own port scanner in JavaScript. My aim was to build a small, fast and reusable javascript portscanning object. After a couple of hours fiddling around with IMG tags and other DOM elements I came up with the following solution.
The code depends on your connection speed and might not be very accurate. [...]
test your web apps with websecurify application security testing runtime