Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
The ha.ckers.org and sla.ckers.org web application security lab house rules and a place for you to introduce yourself if you like. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Javascript for beginers
Posted by: lat
Date: November 05, 2008 12:53PM

I'm not sure which forum this fits into best, but I'm looking for suggestions of good resources / books to learn Javascript.

Options: ReplyQuote
Re: Javascript for beginers
Posted by: Gareth Heyes
Date: November 05, 2008 01:09PM

Short but sweet:-
http://oreilly.com/catalog/9780596517748/

Best reference:-
http://oreilly.com/catalog/9780596101992/

I can't recommend any others as they've been extremely poor and I read a lot of books.

The sla.ckers thread I started is a good way to learn:-
http://sla.ckers.org/forum/read.php?2,15812

Hope they help

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Javascript for beginers
Posted by: Anonymous User
Date: November 06, 2008 03:21AM

This resource might turn out helpful too:

https://developer.mozilla.org/en/JavaScript

Options: ReplyQuote
Re: Javascript for beginers
Posted by: Gareth Heyes
Date: November 06, 2008 05:56AM

@mario

Good call

Here are some other online ones I use:-
http://www.w3schools.com/js/default.asp
http://msdn.microsoft.com/en-gb/library/hbxc2t98.aspx
http://webreflection.blogspot.com/
http://ejohn.org/
http://blog.nihilogic.dk/
http://my.opera.com/hallvors/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Javascript for beginers
Posted by: kuza55
Date: November 06, 2008 11:07PM

Can I ask why you're interested in learning JavaScript?

I haven't found much use for the language itself beyond the basics, and found that investing time into looking at it's implementations in browsers is more useful than anything else.

I'm not so down with books, so maybe I'm wrong; but it seems the mozilla.org and msdn references are the things that have been most useful to me. That and just playing with shit to see when the MSDN documentation is flat out lying.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Javascript for beginers
Posted by: lat
Date: November 07, 2008 03:33AM

My initial thinking was:

o I'd like to understand how you guys find those obscure Javascript methods to exploit XSS

o I'd like to understand how XSS can be used to install malware on a machine. I understand how you could force a download, but not how you would force an installation.

o I'd like to get involved with the AttackAPI project, which is written in Javascript (yet the source needs to be compiled with ant, not sure why that is). For example, the stand alone module starts out with:

var AttackAPI = {
version: '3.0.0a',
author: 'Petko D. Petkov | pdp',
homepage: 'http://www.gnucitizen.org',
projecthome: 'http://www.gnucitizen.org/projects/attackapi'};

I'd like to understand what that is, is that some kind of anonymous object or hash?

Options: ReplyQuote
Re: Javascript for beginers
Posted by: kuza55
Date: November 07, 2008 03:54AM

lat Wrote:
-------------------------------------------------------
> My initial thinking was:
>
> o I'd like to understand how you guys find those
> obscure Javascript methods to exploit XSS
Most of the time you really don't need to understand much of JavaScript to XSS sites (especially about the JavaScript language, the language supports a bunch of stuff most attackers don't use, barring of course the guys hacking away at IDS/IPS/WAF/Filtering technology, of course if that's your thing, go for it).

> o I'd like to understand how XSS can be used to
> install malware on a machine. I understand how you
> could force a download, but not how you would
> force an installation.
The term 'JavaScript Malware' is bullshit, whoever uses that term (or tries to say XSS is the new buffer overflow) is just trying to make their ideas look more important than they really are by tying them to things which actually have a serious impact; 'Javascript malware' mostly just applies to ways in which you can use JavaScript to perform 'malicious' tasks, which are mostly just lame in the grand scheme of things, such as user as a proxy to port scan the local intranet (who cares what you can scan, if you can't then exploit it?) or see if a user has visited a page, etc.

Essentially, without some kind of browser bug you can't force an installation.

> o I'd like to get involved with the AttackAPI
> project, which is written in Javascript (yet the
> source needs to be compiled with ant, not sure why
> that is). For example, the stand alone module
> starts out with:
>
> var AttackAPI = {
> version: '3.0.0a',
> author: 'Petko D. Petkov | pdp',
> homepage: 'http://www.gnucitizen.org',
> projecthome:
> 'http://www.gnucitizen.org/projects/attackapi'};
>
> I'd like to understand what that is, is that some
> kind of anonymous object or hash?

It's a JavaScript object, i.e. AttackAPI.version == '3.0.0a', etc.

P.S. I wasn't trying to say it's not worth learning, just that it's not completely necessary to understand all the features of the language and that you shouldn't feel obligated to learn more than what you think you need to.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote
Re: Javascript for beginers
Posted by: Kyran
Date: November 07, 2008 06:02PM

Long story short, if you're a budding developer, learn it.
If you're here to break stuff...well.
You don't need to be an engineer to hotwire a car or smash a window. Learn what you need.

- Kyran

Options: ReplyQuote
Re: Javascript for beginers
Posted by: lat
Date: December 25, 2008 04:10PM

Thanks for the links. I checked them out and have learned a lot. At this point I'm stuck on the following function from AttackAPI. I can't find any reference to the onfound method in any JavaScript documentation. Can someone explain to me what the 'check' function does?

Thanks

AttackAPI.dom.scanExtensions = function (scan) {
var signatures = (scan.signatures != undefined)?scan.signatures:AttackAPI.dom.signatures.extensions;

function check(signature, index, length) {
var img = new Image();
img.onload = function() {
if (typeof(scan.onfound) == 'function')
scan.onfound(signature, scan);

if (index == length - 1 && typeof(scan.oncomplete) == 'function')
scan.oncomplete(scan);
};
img.onerror = function() {
if (index == length - 1 && typeof(scan.oncomplete) == 'function')
scan.oncomplete(scan);
};
img.src = signature.url;
}

for (var i = 0; i < signatures.length; i++)
check(signatures, i, signatures.length);
};

Options: ReplyQuote


Sorry, only registered users may post in this forum.