| |
DOMinatrix - The JavaScript SQL Injector
by Acidus at 2:05 am EDT, Jul 26, 2007 |
DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action. |
| |
DOMinatrix - The JavaScript SQL Injector
by Rattle at 3:17 am EDT, Jul 26, 2007 |
Yeah, Billy has another toolkit for destroying the web.. Don't be too shocked or anything, there will most likely be another one next week. This one is branted with more sexual innuendo then the last one though.. DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action.
|
|
| |
RE: DOMinatrix - The JavaScript SQL Injector
by dc0de at 8:39 am EDT, Jul 26, 2007 |
Acidus wrote:
DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action.
I look forward to seeing it at DefCon too? |
|
| | |
RE: DOMinatrix - The JavaScript SQL Injector
by Acidus at 8:47 am EDT, Jul 26, 2007 |
dc0de wrote: Acidus wrote:
DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action.
I look forward to seeing it at DefCon too?
Going to miss Defcon this year. I'm going to Vegas on Sunday and leaving on Friday. |
|
| | | |
RE: DOMinatrix - The JavaScript SQL Injector
by Dolemite at 2:28 pm EDT, Jul 26, 2007 |
Acidus wrote: dc0de wrote: Acidus wrote:
DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action.
I look forward to seeing it at DefCon too?
Going to miss Defcon this year. I'm going to Vegas on Sunday and leaving on Friday.
So maybe we can see this at PhreakNIC? *hint hint* |
|
| |
RE: DOMinatrix - The JavaScript SQL Injector
by Worthersee at 9:41 am EDT, Jul 26, 2007 |
Acidus wrote:
DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits.
These aren't buffer overflows.
These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this.
End users are pretty much screwed. Here is a screen shot of DOMinatrix in action.
Tim Berners-Lee gave us the web. Billy Hoffman lets it run... ;) |
|
There is a redundant post from Neoteric not displayed in this view.
|
|
