bindshell.net/tools/beef/, into the victim??™s browser as if it were being
included from the vulnerable site. This would allow for more ?¬‚ exible, real-time
exploitation of victims, even on sites with the HTTPOnly cookie ?¬‚ ag.
3. The attacker can then target information from the victim as the victim browses
any particular site. Using the victim??™s active session as well as the script??™s
access to the content would allow the attacker to eavesdrop and compromise all
the information he or she wants.
In the Web 2.0 era, the Internet is not solely a collection of networks that are connected
together, but also a collection of applications that are also connected. Security issues
from one application that is used to supply content to 30 other applications, which
are then used by 200 additional applications, creates a web of security issues from a few
single points of failure. Security professionals need to identify, justify, and minimize
cross-domain script inclusion to avoid undercutting the security of their applications by
eliminating or weakening important security barriers.
III
AJAX
This page intentionally left blank
145
6
AJAX Types,
Discovery, and
Parameter
Manipulation
146 Hacking Exposed Web 2.
Pages:
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280