 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
| HomeDiscussion GroupsGeneralPHPASPPerlColdFusionFlashHTML, CSS, ScriptsBrowsers |
Webmaster Forum / HTML, CSS, Scripts / JavaScript / July 2006JavaScript opens doors to browser-based attacks
Seems JavaScript is getting some bad press: "Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers." <URL: http://news.zdnet.com/2100-1009_22-6099891.html > There seems to be quite a bit of FUD happening in regard to this issue - as far as I can see, JavaScript could have been used for this for years, it's only now someone has decided it's a security risk. I'm not sure what anyone can do with knowing that my printer's IP is 10.1.1.5, but maybe someone else has a suggestion?  SignatureRob > Seems JavaScript is getting some bad press: > "Security researchers have found a way to use JavaScript [quoted text clipped - 10 lines] > I'm not sure what anyone can do with knowing that my printer's > IP is 10.1.1.5, but maybe someone else has a suggestion? The article includes the statement; "When run, the JavaScript first determines the internal network address of the PC", which is not information that javascript can get directly from a web browser. Java can tell you that (though the security manager for its use inside a web browser should prevent it from doing so) and ActiveX components can tell you that (though only the type of ActiveX objects that should be disabled in the Internet security zone). Apart from that the only approach I can think of would be trial and error, and that appears to be the approach taken in article. Specifically; loading the SRC of an Image object with a likely address and seeing what happens, presumably whether its onerror or onload handlers are fired (onerror; look elsewhere, onload; you have learnt something about the system). A trial and error approach is potentially going to be slow (and may build up large runtime memory consumption). It is not going to be practical to scan the entire possible IP range, so I imagine that you start with variations of likely internal network addresses. Of course loading an Image SRC with a local network address from a script originating on the Internet should provoke cross-domain security restrictions, and as I recall those restrictions apply to Image objects on Mozilla/Gecko browsers even if IE doesn't seems quite so concerned (or didn't last time I tried, which was a couple of years ago now). Richard. > A trial and error approach is potentially going to be slow (and may > build up large runtime memory consumption). It is not going to be > practical to scan the entire possible IP range, so I imagine that you > start with variations of likely internal network addresses. Their proof of concept requires you to give the script a start and stop IP address. > Of course loading an Image SRC with a local network address from a > script originating on the Internet should provoke cross-domain security > restrictions, and as I recall those restrictions apply to Image objects > on Mozilla/Gecko browsers even if IE doesn't seems quite so concerned > (or didn't last time I tried, which was a couple of years ago now). It appears to "work" on Firefox1.5.0.5 - it was able to determine some of our hosts existed although not all. Lots of false negatives. It failed to identify our only IIS server even though it is supposed to specifically look for one. The status bar was full of "connecting to 10.10.xxx.xxx" messages so you can't really fail to notice it running. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.