So if we assume these people have any idea what they're talking about, it's some kind of SQLi attack... presumably mySQL? I wonder at what point it'll occur to them that Facebook mostly serves data from memcached.
Uh... did I get something wrong here? A correction or something would be nice.
"RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection."
"The tool is very effective, a 17-seconds attack from a single machine resulting in a 42-minute outage on Pastebin yesterday. As expected, the Pastebin admins weren't very happy with their platform being used for such tests and tweeted 'Please do not test your software on us again.'"
"The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit."
first of all, there's no javascript "engine" on most websites. and every major vendor of SQL databases has it's own, so good luck in finding a vulnerability that works with MSSQL/Oracle/Mysql/Postgresql.
also, even if you manage to store a .js file in a temp directory (which would be handled by the web server, btw. nothing to do with sql/js) it's usually a very locked down directory (you can't even execute from /tmp by default in most GNU/Linux servers)
even so, you would still need to execute that .js file (and how? most servers can't run javascript)
I'm not saying this tool doesn't exist, but I'm pretty sure that's not how it works
i think you're getting downvoted because anonymous has proven many times in the past that at least the people "in charge" (as much as you can call it that) definitely know what they're talking about and are possibly comprised of security experts.
if this is in fact anonymous. i'm not convinced, too big a target for them to have so little fanfare/flair.
Uh... did I get something wrong here? A correction or something would be nice.