Oops! I accidentally hit the Back button and canceled my attack!

Danny Alan’s demo of Ajax XSS attacks and exploits had to be one of the best talks I went to at Ajax World 2008. Aside from wowing the audience with a demonstration of the power and ease of Cross-Site Request Forgery attacks, he also uttered the most hilarious soundbite of the conference:

Oops! I accidentally hit the Back button and canceled my attack!

In all serious, the CSRF attack toolkit put together by Danny and his colleagues was impressively unsettling.



Ajax vulnerabilities, originally uploaded by Noah Sussman.

This slide is from Danny Alan’s talk on XSS. I’ve read about the various JavaScript remoting attacks, but it was impressive to actually watch him paste a simple script tag into an insecure form, then later (from a remote host) play back the compromised browser’s session, including cookies, keys pressed (including passwords), all the HTML retrieved by the browser, and details about the browser’s history.

Another disturbing thought: JavaScript can talk to the Java VM via an applet. The Java VM knows the NAT address of the host machine on the internal network. If the router password and IP are known (most users leave these set to factory defaults) then JavaScript can fill out and submit any of the Web forms that control the router. So it’s theoretically possibly to compromise a router with JavaScript.

12 Responses to “Oops! I accidentally hit the Back button and canceled my attack!”

  1. Weiter Says:

    Weiter…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  2. Twitter Says:

    Twitter…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  3. Borsen Says:

    Borsen…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  4. quest bar ingredients mislabeled Says:

    quest bar ingredients mislabeled…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  5. match.com free trial text Says:

    match.com free trial text…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  6. pure forskolin. Says:

    pure forskolin….

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  7. kroger coupons download on kroger card Says:

    kroger coupons download on kroger card…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  8. kroger feedback survey Says:

    kroger feedback survey…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  9. sale quest bars Says:

    sale quest bars…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  10. Villa Park CA Payday loans No credit check Says:

    Villa Park CA Payday loans No credit check…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  11. descargar facebook Says:

    descargar facebook…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

  12. Descargar Firefox ++++ Says:

    Descargar Firefox ++++…

    Meme Catcher » Blog Archive » Oops! I accidentally hit the Back button and canceled my attack!…

Leave a Reply

You must be logged in to post a comment.