JavaScript Malware Open The Door to the Intranet

← Back to Stories (view on slashdot.org)

JavaScript Malware Open The Door to the Intranet

Posted by ryuzaki0 on Saturday July 29, 2006 @11:36PM from the anybody-home dept.

An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

5 of 169 comments (clear)

Min score:

Reason:

Sort:

JavaScript Malware Open The Door to the Intranet by Ohreally_factor · 2006-07-29 23:39 · Score: 5, Funny

Caveman Zonk edit headline bad.

--
It's not offtopic, dumbass. It's orthogonal.
NoScript by dvice_null · 2006-07-29 23:45 · Score: 5, Informative

Why can't users just install Firefox and NoScript extension for it. Then Javascript will be disabled by default, but user can whitelist the sites where Javascript should be enabled. Problem solved.
1. Re:NoScript by rdwald · 2006-07-29 23:59 · Score: 5, Informative
  
  In addition to blocking JavaScript on non-whitelisted sites, NoScript also prevents Flash and Java from loading unless you specifically allow them on a case-by-case basis. All of those stupid Flash adds will be gone, but you can still view everything you want to! It's a great extension.
2. Re:NoScript by Anonymous Coward · 2006-07-30 00:00 · Score: 5, Insightful
  
  The problem is not necessiarly the web browsers (and most don't even use Firefox let alone have even heard of that that extension). The problem is the websites that don't properly take steps to protect against XSS (e.g. HTMLencode user input).
  
  Most recently we saw this problem in Netscape's portal.
  
  http://blog.outer-court.com/archive/2006-07-26-n73 .html
  
  Developers need to start thinking not only about how to solve the particular business problem but also about how their code could be potentially abused by attackers and take active steps to mitigate that risk.
Re:Simple fix to an obvious problem by ergo98 · 2006-07-29 23:54 · Score: 5, Interesting

Giving JavaScript the power to do random network accesses may make AJAX possible

The XmlHttpRequest functionality doesn't allow "random network access", but instead is limited to calling the source website (in all browsers but IE. In IE the requests can go anywhere).

I predict 2 weeks before there's a FireFox update for this, and 2 years before MSIE fixes the problem.

Fix what though? The submission seems to be that someone has a big surprize that they're going to release at a conference, and for all we know they could be full of shit, talking big to get a lot of attention. Personally I would rather that this story was shelved until there's actual details that can be addressed/rebutted. Instead it's like lame nightly news teasers.

"Coming tonight at 11 - Someting ordinary in your home that can KILL YOU! Now back to The Family Guy."