Re: Hackers Focusing on Web 2.0 Sites (plus Comment)

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 7/11/07, Paul Ferguson <fergdawg () netzero net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Via ITPro.
>
> Please read further for my comments.

Holy $%i# Paul comments on a story?!! What is this friday the 13th?,..
no wait, thats tomorrow... ;-)

> [snip]

> We've been saying for over 10 years that JavaScript, in and of
> itself, can be used for extremely evil shit. And since most of
> the newer, mash-up-style Web "Uh-Oh' stuff uses AJAX and requires
> users to open themselves up for JavaScript exploitation just to
> experience the content.


Do you remember the java applet port scanner that was posted to FD a
while ago? If you visited the site, it would load the applet and scan
cia.gov from your IP  address? (kinda like this one:
http://switch.sjsu.edu/v6n2/ztps/, but I dont remember having to click
on "ok" to have the scan kick off..)

Well I am just waiting for some interactive content to allow folks to
load a tiny SMTP server into visiting users JVM's use that to send out
spam..

Could JS be used that way as well?
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.