<span class="gmail_quote"></span>During the lecture we presented at 23C3 "Subverting Ajax" we focused on many topics about Ajax client side attacks.<br>One of these was called Cross Domain Scripting (Aka XDS or AICS) that exploited a Http Request Splitting Vulnerability to bypass DOM restrictions and inject in realtime javascript code during the user browsing session.
<br><br>This kind of attack relies on:<br>1) Request Splitting Vulnerability (in Web Browser or Browser Plug-in like flash, + Web Proxy)<br>2) Frame Injection<br>3) Some tricks to make it working <br><br>The goal was to have control over a browsing session among different domains, extending control and interaction.
<br><br>More info are in the last Chapter of our Subverting Ajax Paper (Autoinjecting Cross Domain Scripting):<br><a href="http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html</a><br>
<br>At 23C3, we also had a nice conversation with Dan Kaminsky about the IE 6 vulnerability reported by Amit Klein, which was exploited to leverage the Request Splitting. Indeed Amit Klein did a great job and he's a pioneer in this kind of research.
<br><span class="sg"><br>Giorgio Fedon, Stefano Di Paola</span><div><span class="e" id="q_1108a207ba1c650d_2"><br><br>> Amit Klein found the same vector that I used here for client-side backdoors in May 2006 (still<br>
> not patched?! *shrieks in horror*), but for cache poisoning:<br><br>
</span></div>