PDP’s Work
I feel a little delinquent in posting about some of PDP’s work. He’s been doing a lot of stuff lately that’s worth commenting on. I guess I was really waiting for some more fallout from some of the Quicktime stuff before I did comment, but it looks like it’s sorta died down so now’s the right time to give my two cents. This is in cronological order:
First, I did mention his JavaScript port scanner when it came out, but it’s worth mentioning again. He based it off of the various JavaScript port scanning talks at the time (Jeremiah and SPI Dynamic’s). PDP’s code doesn’t seem to have changed since he released it, but if you want the original version that Jeremiah wrote that’s got all the features in it you can get it from Jeremiah’s site that has all the other things built into it, like the CSS history hack, and the JavaScript shell, etc…
Next PDP released the FEX scanner based off a post I made about detecting Firefox plugins. Jeremiah released a full signature database later, which is probably worth looking at if you don’t want to do the work yourself. I’m still waiting for someone to do some more analysis on the plugins themselves as I think that’s where there will be some more interesting things.
Next in quick succession PDP had three posts about backdooring html, flash and mp3 files with JavaScript. I didn’t want to say anything about any of these at the time because most of them I think have been covered by the XSS Cheat Sheet, but the mp3 one is worth talking about in a little more lenth. Most people don’t allow embedded objects in webpages (Okay, MySpace is the odd duck here). While I do think it’s interesting that it’s possible, I’m not sure how relevant it is, because it still requires some social engineering in most cases to get the mp3 to be clicked on. Most of what I focus on is new attack vectors. I think (unless the server happens to allow embedded mp3 files) it’s more social engineering than anything, which I try to stay away from on this site - although it is interesting and I’m glad someone is doing the research on social engineering vectors because there’s no way I would.
Next PDP mentiond using the data directive as a new attack vector - unfortunately it’s not new, it’s been around for years and it’s not only obscure but difficult to use and not supported by most browsers. It’s basically using the data directive. While interesting, it’s not particularly a practical vector (or even a vector at all unless you can inject HTML around it or get something to redirect to it). Although it’s nice that’s he bringing up older vectors because I don’t think a lot of people know about this stuff - so as he’s learning he’s teaching other people.
Lastly, PDP wrapped my XSS attack library with AJAX functionality to make it easier to use. This is sorta lika a crippled version of CAL9000, but it is 100% web-based, so if you can’t figure out how to use the XSS Cheat Sheet and don’t want to download CAL9000, the xssdb is a good alternative.
Anyway, some cool stuff coming from PDP. As his understanding matures, I think we’re bound to see good stuff coming from him. Nice work, PDP! I’m glad he’s on our side.
