WHAT'S HOT
PARTS:
Part 5
Part 6
Part 7
Part 8
Part 9
Part 10
Part 11
Part 12
Part 13
Part 14
Part 15
Part 16
Part 17
Part 18
Part 19
Part 20
Part 21
Part 22
Prev | Current Page 172 | Next

Rich Cannings, Himanshu Dwivedi, Zane Lackey, and Alex Stamos

"Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions"


This AJAX code makes HTTP GET and POST requests to GoatFriends and receives the
contact list as JavaScript arrays. One GET request against https://im.goatfriends.com/
im/getContacts.asp is made to retrieve the user??™s list of friends and their IM status
and it returns an array like this:
[["online","Rich Cannings","rich@cannings.org"]
,["offline","Himanshu Dwivedi","hdwivedi@isecpartners.com"]
,["online","Zane Lackey","zane@isecpartners.com"]
,["DND","Alex Stamos","alex@isecpartners.com"]
]
In January 2006, Jeremiah Grossman discovered a method to steal information from
a prominent webmail site and posted his technique to the WebSecurity mailing list at
webappsec.org. In this posting, he outlined a method for malicious web sites to request
the user??™s information stream, encoded as JavaScript, from the webmail site using a
simple cross-domain