So, I'm working (night and day, and day and night) on an 60 minute AJAX Security presentation that will be used by MSDN presenters to help remind web developers of ... you guessed it: AJAX Security.

But, I think I've been spending a bit too much time contemplating various XSS attack vectors. In fact, partially inspired by "Samy" I've come up with my own sinister plot, and thought I'd share it:

Disaster: 
3 Scoops Exploit, and 1 cup of negligence: Hacker manages to execute a persisted XSS attack against a site that blindly trusts either user-input, persists it, and outputs it to subsequent visitors. (i.e. like a forum site, etc.)

2 teaspoons of Malice: Hacker uploads/inserts an evil.js file into the browser, and after harvesting credentials (and possibly logging keystrokes, etc.) executes a snifty function called Replicate(). Replicate is a JS function that checks the referrer to the current site, if there is one, and then attempts various SILENT exploits against the referring page - attempting to locate other pages, formfields, etc that might be susceptible to persisted XSS attacks. (It can just use the XmlHttpRequest object to request, parse, and interact with referring pages (from the same site) because they won't be blocked from interaction due to the 'Server of Origin' policy.)

Mix Well, and Simmer: If other pages are compromised, the code injected in to them will instruct browsers to load the same 'evil.js' file, which will subsequently check new referrers and attempt to compromise them.

With any luck, huge chunks of an entire site could be swamped with credential harvesting, keystroke logging, self-replicating evil.... it's like the Borg all over again. (And, I'm sure evil (or good) genius hacker out there has already coded this pig... I'm just happy I was able to come up with this idea all on my own... )