July 28, 2006 12:44 PM PDT
JavaScript opens doors to browser-based attacks
- Related Stories
-
The security risk in Web 2.0
July 28, 2006 -
Worm lurks behind MySpace profiles
July 18, 2006 -
Browser bugs hit IE
June 29, 2006 -
PayPal fixes phishing hole
June 16, 2006 -
Here come the 'Family 2.0' sites
June 2, 2006 -
Hijacking MySpace for fame and fortune
May 10, 2006 -
Google deal highlights Web 2.0 boom
March 13, 2006
The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.
"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."
A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.
"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.
JavaScript, AJAX and the Web
JavaScript has been around for about a decade. The scripting programming language is used on Web sites and is increasingly popular in recent years thanks to a programming technique known as AJAX--Asynchronous JavaScript and XML--that makes sites more interactive. AJAX has its own share of security pitfalls.
While malicious JavaScript has been possible for a long time, security researchers have not focused much on it, said Fyodor Vaskovich, creator of the popular Nmap network port scanning tool. Instead, bug hunters have been focused on finding Web browser flaws that allow for a quicker and simpler PC hijack, he said.
"There has been little motivation to explore side-channel attacks such as this one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."
There have been similar attempts to craft JavaScript-based network scanners, but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics deserves credit for a clever attack vector and a solid demonstration of the issue. Their method of fingerprinting servers by checking for default image paths and names is slick."
When run, the JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.
"Everything has a Web server these days," Grossman said.
Pings from the host
The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives, according to a SPI Dynamics paper.
A malicious JavaScript could be hosted on an attacker's site, but an attack could also lurk on a trusted Web site by exploiting a common flaw known as cross-site scripting. Big-name Web companies including Google, Microsoft and eBay have had to plug such holes. Earlier this week AOL's Netscape.com fixed such a flaw that let apparent fans of rival Digg.com plant JavaScript on the Netscape Web site.
At BlackHat, Grossman is slated to demonstrate one attack. "We will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers," he said. "As we're attacking the intranet using the browser, we're taking complete control over the browser."
There is little a PC user can do in terms of protection. The burden largely rests on Web site developers to make sure their users and servers stay safe, experts said. Some PC security software will detect malicious JavaScript, but typically only after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) to block the attack.
"All our protection recommendations are server-side," Grossman said. Site operators should fix cross-site scripting flaws and validate any user-submitted JavaScript. "The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it," he said.
Also, if you suspect something fishy is going on, surfing to a different Web page or shutting down your browser will likely stop the JavaScript.
Attacks aren't widespread, Grossman said. "JavaScript malware is still cutting-edge, and nobody really knows what you can do with it," he said. "Liken it to the early days of an e-mail virus--that's where we're at now. I think we're going to see (many) more attacks."
See more CNET content tagged:
SPI Dynamics,
JavaScript,
corporate network,
internal network,
AJAX
I have been studying JavaScript extensively as part of my Web Development regime and am finding more and more way's to manipulate it for evil than for good! And you though cookies were harmless!
J Gund
Tech01
www.tech01.net
script attacks or was that just a poor choice on the graphic
artist's part?
Users are having to accept patches to problems when they are wanting REAL solutions.
Society actualy cares, but is not able to cope with the ever increasing speed of tech and lack of knowledge of the same.
Maxi
sites, work just fine without Javascript. I think it makes
more sense to have Javascript turned off by default and then
only activate it when really necessary.
If you want to view a link... it can be done in HTML... no need to use Javascript... but many do.
Javascript looses readers... especially those like me because I don't allow javascript for just anybody. There must be a reason.
But if that reason is because some bloody javascript crazy programmer decided to use javascript rather than just plain HTML... then I don't view that site and I also voice my opinion against that site to all of my buddies.
Javascript needs to be used with care... only when required... not just when desired.
And if you haven't figured it out yet... I block ALL javascript by default. And must have sound reasoning why to unblock it.
Sadly however... much of the internet doesn't understand the vulnerabilites of it and thus programs javascript for everything.
Walt
- The TRUTH about Firefox
-
by umbrae
July 31, 2006 6:54 AM PDT
- Disabling JavaScript in Firefox does, in fact, block this request. I have no experience with the NOSCRIPT "3rd Party" extension for Javascript, but this is a "3rd Party" tool and does not reflect upon any of the "core" Firefox development team. Regardless of what Google tools Mozilla decides to include in 2.0.
-
Reply to this comment
-
-
See all 29 Comments >>Please understand how a browser works and is developed before you lay claims to what they do and do not know.
Once again, you can uncheck "Enable Javascript" in Firefox and it will block this exploit.