AJAX Sniffer + AttackLabs.com
I can across an interesting blog post today on a proof of concept AJAX sniffer. It explains how to override certain functions found inside XMLHttpRequest. Source code is also provided on the page. This PoC is an implementation of concepts introduced in Subverting AJAX.
Something else I wanted to briefly mention was Attack Labs. A Demo of the AJAX sniffer and other web attacks are available on this page. The complete list of available Proof of Concepts (with source code) includes:
- Steal Clipboard
- Ajax worm
- Steal History
- Browser Spy
- Site Defacement
- Cross Domain Javascript Request
- Ajax Sniffer
I'm not a fan of Web 2.0... and I'm not sure I'm overly fond of AJAX (although I've been playing with pyjamas a bit). So I have to question, as I see more and more attacks come to life, if we're really benefiting from moving more and more of our code from server-side to client-side.