Introduction

In a relatively short time, client-side security has become one of the most researched and discussed topics in the information security world. Being a low priority for a number of years, security and software vendors have just started to realize the real potential in this long-forgotten hacking discipline. Web malicious software (malware), Asynchronous JavaScript and XML (AJAX) worms, history brute forcing, login detection, zombie control, network port scanning, and browser hijacking are just a few of the techniques that have recently appeared from the underground laboratories of security researchers, and with a great impact.

Similar to other times when a type of security discipline emerges and becomes a mainstream exploitation mechanism, vendors and individuals have started to release frameworks and automatic tools to handle the attack and testing process. While vendors are primarily concentrated on providing tools for auditing AJAX applications, security researchers are more interested in stretching the boundaries of the system in the quest for the ultimate truth.

There are many different techniques that have been discovered and all of them have their quirks, problems, and advantages. Browsers have always been a battlefield and the worst nightmare for every developer. Due to the wide range of possible attack vectors, it is no surprise that developers and researchers have created several JavaScript attack/testing frameworks to enhance the testing of the Web application. Just like Metasploit, CANVAS and CORE IMPACT have helped to isolate and enlighten users as to the threats and risks of the server-side world, and the...