Slashdot Mirror

← Back to Stories (view on slashdot.org)

JavaScript Malware Open The Door to the Intranet

Posted by ryuzaki0 on from the anybody-home dept.

An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

6 of 169 comments (clear)

  1. Re:Simple fix to an obvious problem by ergo98 · · Score: 5, Interesting

    Giving JavaScript the power to do random network accesses may make AJAX possible

    The XmlHttpRequest functionality doesn't allow "random network access", but instead is limited to calling the source website (in all browsers but IE. In IE the requests can go anywhere).

    I predict 2 weeks before there's a FireFox update for this, and 2 years before MSIE fixes the problem.

    Fix what though? The submission seems to be that someone has a big surprize that they're going to release at a conference, and for all we know they could be full of shit, talking big to get a lot of attention. Personally I would rather that this story was shelved until there's actual details that can be addressed/rebutted. Instead it's like lame nightly news teasers.

    "Coming tonight at 11 - Someting ordinary in your home that can KILL YOU! Now back to The Family Guy."

  2. Problem Solved? by Petersko · · Score: 2, Interesting

    "Then Javascript will be disabled by default, but user can whitelist the sites where Javascript should be enabled. Problem solved.

    The consequences of disabling Javascript can lead to a host of new problems. I used to disable javascript and enable it by whitelist. Then I registered a piece of shareware, paid by credit card, and waited. Of course since the whitelisted servers forwarded off to some other entity which provided the registration pages, it never came back. So I figured out the servers that it was dealing with, whitelisted them, and reregistered.

    Naturally I got double-billed. The shareware provider kindly fixed that situation, and I was credited, but this situation was a good example of why whitelisting sites is not the solution.

  3. Re:I tried the "proof of concept" here... by vtcodger · · Score: 2, Interesting
    ***but failed to find my wireless router (through which it had to pass in order to see the rest of my network), or my print server. It also identified as "exists" several IP addresses on which no machine or device exists.***

    Doesn't the second part of that make you a little nervous? One possibility is that it is finding your router and print server, but not where they are supposed to be. Could be an error in the program, but it could be some 'feature' of your network environment that you'd like to know about.

    --
    You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
  4. Missing the point by Minwee · · Score: 3, Interesting
    "Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it."

    Yes it is. Users could also politely point out to the authors and administrators of the majority of web sites which rely on javascript that they really, absolutely, positively don't need it. You don't need javascript to open a link to another page. You don't need javascript to open an image in a gallery. You don't need javascript to submit a username and password. You just don't need it. I would say that using scripted actions for that is lazy and stupid, but it actually involves a good deal more work than using proper HTML. That makes it just plain stupid.

    For the rare applications which actually require javascript and don't just use it as some kind of prostetic weiner replacement there is always the option of enabling scripting on a site by site basis. Turning scripting on for http://trusted.internal.site.on.your.local.net/ but not for http://random.russian.warez.and.porn.site/ really is a solution.

  5. FIrefox NoScript? by kintarowins · · Score: 2, Interesting

    How anyone can just not use a simple extension to block scripts, flash, java, etc like the Firefox NoScript extension is just confusing to me. People actually seem to want to run foreign applications on their system through sites which can quite easily load anything they want.

    Make it clear to your family that the modern Internet is like the real world. Protecting your computer with either a secure Internet Explorer (eg: the default Windows 2003 IE config) or Mozilla Firefox (with the NoScript and CookieSafe) configuration is like leaving your car unlocked in a inner-suburb train station... It will get broken into!

    For those affected by these issues: welcome to the real world. Grow up, plug in, learn what the hell your doing on this internet.

    You should need a licence to even have an Internet Connection.

  6. Feature creep? by vain+gloria · · Score: 2, Interesting

    It also blocks the attribute, something which won't be introduced until Firefox 2 and for which it's possible to set a pref in about:config. Also, it doubles as an egg timer!

    Seriously, NoScript is great, but if I want to block flash I'll install Adblock or Flashblock. If I want to whitelist sites for javascript then I'll use NoScript. Whatever happened to the concept of simply doing one thing well?