The Pownce Worm (Yet Another Potential AJAX Worm)

First of all I need to let you know that it is not within our practice to disclose vulnerabilities on specific online applications. However, given the fact that Pownce, the vendor, was responsibly informed and the fact that we believe that the issue is interesting enough to be discussed, we’ve decided to let you know about our findings. [...]

more | comments | comments rss | posted by

Joe Walker on Web Application Security

The picture that you see is a work of art produced by the British street artist Banksy. Underneath, you will find a great summary on common Web Application security threats put together by Joe Walker for the The Ajax Experience event, which took place last week in Boston. It is highly recommended to check it out although you might be familiar with the content.

I would like to say just one thing: Great work Joe. I haven’t seen any presentation that puts it out in such a clear way.

more | comments | comments rss | posted by

WormX

WormX is a collection of various notorious web worms mostly written on the top of popular client-side technologies and propagating primarily on social networking web sites.

For those of you who do not know what ajax worms are, here is a bit of Internet history:

If you want to submit a worm, we are going to need the following information:

Worm name – It must be enclosed inside <h3>[atom name here]</h3> tags. [...]

more | comments | comments rss | posted by

XSSing the Lan 2

In order to perform browser based attacks, JavaScript is most definitely required with a number of restrictions of course. Flash 7 has the flexibility to perform cross domain requests without restrictions, however this is sort of fixed in Flash Player 8. Java applets are quite the same in that respect. In certain situations it might be possible to trick the browser into doing what ever you want, but this is a different story. [...]

more | comments | comments rss | posted by

JavaScript Port Scanner

SPI Dynamics released a paper on how to port scan and do other cool stuff with JavaScript. I found the paper interesting and as a result I decided to make my own port scanner in JavaScript. My aim was to build a small, fast and reusable javascript portscanning object. After a couple of hours fiddling around with IMG tags and other DOM elements I came up with the following solution.

The code depends on your connection speed and might not be very accurate. [...]

more | comments | comments rss | posted by