Oops! I accidentally hit the Back button and canceled my attack!
Danny Alan’s demo of Ajax XSS attacks and exploits had to be one of the best talks I went to at Ajax World 2008. Aside from wowing the audience with a demonstration of the power and ease of Cross-Site Request Forgery attacks, he also uttered the most hilarious soundbite of the conference:
Oops! I accidentally hit the Back button and canceled my attack!
In all serious, the CSRF attack toolkit put together by Danny and his colleagues was impressively unsettling.
This slide is from Danny Alan’s talk on XSS. I’ve read about the various JavaScript remoting attacks, but it was impressive to actually watch him paste a simple script tag into an insecure form, then later (from a remote host) play back the compromised browser’s session, including cookies, keys pressed (including passwords), all the HTML retrieved by the browser, and details about the browser’s history.
Another disturbing thought: JavaScript can talk to the Java VM via an applet. The Java VM knows the NAT address of the host machine on the internal network. If the router password and IP are known (most users leave these set to factory defaults) then JavaScript can fill out and submit any of the Web forms that control the router. So it’s theoretically possibly to compromise a router with JavaScript.