[WEB SECURITY] JavaScript Malware, port scanning, and beyond

Billy Hoffman Billy.Hoffman at spidynamics.com
Mon Jul 31 15:44:55 EDT 2006

Props to Jeremiah and RSnake for their research. I know SPI Labs spent
quite some time working on this.  It will be interesting to contrast
what you release at BH with our research to see how two groups
independently approached this problem.

Style Sheets (CSS) and JavaScript includes. Such as <link src=....,  
<script src=... Many times these files are just as unique as an  
image. The technique is to simply use object or class detection.
This is a really good idea! Are you able to detect that the <link src>
failed to load because of an event or do you associate the style style
using the LINK tag and then investigate the DOM to see if the proper
elements have the correct style?

Brute Forcing Basic HTTP Auth:
Mozilla, your gold. Firefox/Mozilla support the url notation (http:// 
user:pass at host/), while Internet Explorer (IE) does not. So forcing  

SPI also ran into this problem. We didn't look at it all that much
beyond the classic "http://:admin@" for Linksys routers. We
instead figured that if user has cached their credentials, you win
regardless of IE , Mozilla/Firefox, Safari, etc! This means I can place
code to interact with web interfaces on IT infrastructure (routers,
switches, etc) and then find an XSS vuln in an IT admin related site.
Cached credentials = very bad news. The browser is so helpful in adding
the necessary HTTP headers for outgoing requests made by JavaScript...

XSS Chaining:
Was someone else was inspired by Anton's XSS-proxy at Shmoocon last

See you in Vegas,
Billy Hoffman
Lead R&D Engineer
SPI Dynamics - http://www.spidynamics.com
Phone: 678-781-4800
Direct: 678-781-484

The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list