DOMinatrix is, well, incredibly awesome. It's a full automated SQL Injection tool written in JavaScript, which will dump out data from MS SQL Server databases (more to come). I'm be demoing DOMinatrix at my Black Hat presentation. XSS + Web worm + DOMinatrix = oh crap. In the last 5 months we've seen the development of web scanners and SQL injectors in JavaScript. These aren't a browser exploits. These aren't buffer overflows. These aren't something that affects only a single browser and only on pages that don't explicitly set a character set. This is using JavaScript in perfectly valid ways to do extremely malicious things. There is no way to patch this. End users are pretty much screwed. Here is a screen shot of DOMinatrix in action. DOMinatrix - The JavaScript SQL Injector |