Shmoo 1860 - Billy Hoffman - JavaScript Malware For A Grey Goo Tomorrow

Recorded at the www.ShmooCon.org HACKING AND COMPUTER SECURITY CONFERENCE, March 24, 2007 in Washington, D.C. Content produced by www.MediaArchives.com — JavaScript Malware for a Grey Goo Tomorrow, with Billy Hoffman. Aren\’t Cross Site Scripting vulnerabilities lame? All they can do is display annoying popups that say \’xss\’ in them. Oh, and hijack your HTTP sessions… and detect every website you have visited… and port scan and fingerprint your internal network… and reconfigure your routers… and brute force usernames and passwords… and capture all the words you search Google for. And I almost forgot, they can self propagate too. Wait, maybe XSS isn\’t so lame after all. This presentation will examine all the nasty things JavaScript can do that most people don\’t know about. What\’s that? The masses desire the sweet taste of 0-day? No problem. I\’ll demo and release Jikto, a complete web application vulnerability scanner written entirely in JavaScript. Jikto silently crawls and audits any public website and sends the results to a 3rd party. Jikto can be embedded into any website or XSS payload turning website visitors into accomplices that will scan and attack webservers on the Internet. Billy Hoffman is lead researcher at SPI Dynamics. He first became interested in web security on November 5th, 1955 when he was standing on the edge of a toilet hanging a clock. The porcelain was wet, he slipped, and hit his head on the edge of the sink. When he came to he had a picture in his head of destroying the Internet with JavaScript. Billy is currently writing a book on Ajax security for Addison Wesley. 18609 7

Source: www.MediaArchives.com and www.ShmooCon.org

test cannings

test cannings

Source: test

Basic Javascript Redirect Tutorial

Javascript redirection from website

Source: alexg13


Next Page →