13JavaScript Worms

Myth: Ajax has not increased the damage Cross-Site Scripting attacks can do.

As we saw in Chapter 10, “Request Origin Issues,” malicious JavaScript can leverage a user’s credentials to send fraudulent HTTP connections to Web servers that look identical to normal user activity. XMLHttpRequest allows malicious JavaScript to send requests and analyze the response 15 times faster than any pre-Ajax method. This enormous jump in request speed has made it practical for malicious JavaScript to send lots of requests in a very short amount of time. This has lead to the rise of JavaScript worms, which need these rapid, silent requests to propagate and inflict damage. To date, virtually every JavaScript worm (Samy, Yamanner, Xanga, MySpace ...

Get Ajax Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.