[WEB SECURITY] javascript based network scanners
allodoxa
spamhole at telenet.be
Sun Apr 22 08:00:55 EDT 2012
Hi Antisnatchor,
I had a look at the port-scanner module and as far as I can see it seems
to work exactly in the crude manner I was talking about (load set of ips
and unsorted-list of images and loop through them).
It also seems to handle the on load event only, ignoring possible info
that can be obtained from timing the on-error event. I'm actually
looking for ways to optimize the usage of what limited information you
get from JavaScript image loading.
The BeEF project as a whole is very interesting though. It's nice to see
that others see the potential of this attack vector and have worked it
out so nicely.
Regards,
Raf
On Sun, 2012-04-22 at 11:28 +0100, Michele Orru wrote:
> Hey,
>
> take a look at the port scanner we have in BeEF (http://beefproject.com).
> It is combining 3 techniques (img tags, WebSockets and CORS) and merge
> the results.
>
> You can find it under modules -> network -> portscanner
>
> Cheers
> antisnatchor
>
> On Sat, Apr 21, 2012 at 3:03 PM, allodoxa <spamhole at telenet.be> wrote:
> > Hello list,
> >
> > I was playing with the idea making a JavaScript based network scanner /
> > CSRF exploiting tool. I know the idea in itself isn't very new, but I
> > feel somehow it never really got the credit that it deserved and still
> > believe it's a valid attack vector and with some preparation and minimal
> > tweaking/configuring of the scanning engine before sending it to a
> > target will yield very good results.
> > Anyways; I made a quick write-up of my ideas/findings. Any feedback on
> > the matter would be greatly appreciated.
> >
> > http://allodox.wordpress.com/2012/04/21/javascript-based-network-scanners/
> >
> > Regards,
> >
> > Raf
> >
> >
> >
> > _______________________________________________
> > The Web Security Mailing List
> >
> > WebSecurity RSS Feed
> > http://www.webappsec.org/rss/websecurity.rss
> >
> > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> >
> > WASC on Twitter
> > http://twitter.com/wascupdates
> >
> > websecurity at lists.webappsec.org
> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
More information about the websecurity
mailing list