Javascript Spider

Fri, 06 Oct 2006 09:36:13 GMT
by pdp

During the last couple of days I have been testing several attack vectors to circumvent the browser security sandbox also known as "the same origin policy". There is a lot involved into this subject and I will present my notes very soon.

The JavaScript Spider is the first implementation of a proof of concept tool which shows that Javascript can be in fact quite malicious. This implementation depends on proxydrop.com but other proxies can be used too: Google Translate is one of them. Keep in mind that the tool spiders only one page.

As you can see, publicly available anonymizing proxies can be used to fetch remote pages. This technique will work quite successfully on Internet resources but not on Intranet. The reason for this is obvious.

The requests made are anonymous since they are proxied. This may amplify or reduce the risk depending on the situation. However an anonymous self-propagating worm can be in theory - possible.

Archived Comments

Anush ShettyAnush Shetty
This is neat :) Would like to get some more details on its implementation - Anush
John ResigJohn Resig
I don't think you know what "attack vector" means. Using a publicly-accessible anonymous proxy is hardly a security concern - especially considering that none of the user's personal information is passed along. Honestly, the only thing that you "discovered" (and that was just something you noticed, as the world has passed you by) is that publicly-accessible anonymous proxies can be used for "bad" things.
pdppdp
Hi John, I appreciate your comment but from what I can see from your blog, you are not a dealing with security at all. That is the reason why I believe that you are more experienced in JavaScript programming than me and I am more experienced in security than you. As far as what attack vector is... well, I am not claiming that my English is perfect but if we google for the word vector you will see that there are mainly two types of definitions: one related to biology and one related to mathematics. Check these two samples:
carrier of an infectious agent; capable of transmitting infection from one host to another; especially the animal that transfers an infectious agent from one host to another, usually an arthropod. life.umd.edu
A vector is a number (a magnitude) together with a direction (compare with scalar). A vector can be represented by an arrow whose length represents the magnitude and the direction represents the direction. enchantedlearning.com
It is more than obvious what attack vector is. You are also saying:
Honestly, the only thing that you 'discovered' (and that was just something you noticed, as the world has passed you by) is that publicly-accessible anonymous proxies can be used for "bad" things.
You are right for one thing. Publicly accessible proxies can be used for bad things and that's nothing new. However, who has done it in the past with JavaScript? I couldn't find anything like this on the web and to me it is a new thing. John, I am very interested to see your opinion on this respond. Many thanks.
pdppdp
Hi Anush, Yes, I will go into details in my next post. Thanks for asking.
sansan
wat a stupid code , i dont think its useful in any way by gettin a anoymous proxy wat the heck u r tryin to do .. u seems a pretty overconfident starter in security. and everybody know anoymous proxy can be used to do lots of stuff lots of tool already there wat r u tryin to do
pdppdp
san, I admit that the code is quite bad but it was hacked in 30 minutes. What do you expect? What I am trying to do can be appreciated by those who understand the subject. However, I think that the community will be quite interested in your solution if you manage to do what I am trying to do without using the technique I have already discussed. :) I am not overconfident. Do I sound overconfident? I am sorry if this is the impression you are getting.
malucmaluc
Wow .. such hatred.
Using a publicly-accessible anonymous proxy is hardly a security concern - especially considering that none of the user's personal information is passed along.
John, you apparently didn't understand the post at all. He's not claiming that those using proxies are at greater risk, or that their personal information can be disclosed by it. It has nothing to do with proxy users. It's saying that by using certain public proxies you can work around the javascript's same origin policies. If you bothered reading his previous blog posts about Google Search API Worms, you'd understand. Another tool in the arsenal, alongside google and yahoo's APIs This may help you comprehend the security restrictions of javascript: http://www.windowsitlibrary.com/Content/1160/22/1.html -maluc
Bas WennekerBas Wenneker
Your spider example is broken. For some reason Proxydrop.com filters out all javascript. You should take another proxy. Cheers, Bas
pdppdp
I noticed that long time ago. Thanks for the comment though. I will fix it as soon as I have some free time. Thanks.
SudeepSudeep
Exactly what I was looking for. I found an XSS at a different site , and needed a way to retrieve another page on the same site , parse it and extract sensitive data from it. (Yeah , I could steal the cookie and use it later, but I am doing a POC for the vendor, an so , need to make it more dramatic) I aint no JS expert, so thanks for the code :-)
pdppdp
I don't think that the code will help you much but I guess you know what you are doing :)
Anthony AlexanderAnthony Alexander
John Resig is a prick. That is why I don't use Jquery.