JavaScript Malware Open The Door to the Intranet 169
An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"
NoScript (Score:5, Informative)
Re:NoScript (Score:5, Informative)
Re:NoScript (Score:3, Informative)
RTFA.
NoScript extension could be a saviour (Score:5, Informative)
It blocks javascript per-site until I choose to whitelist the site: Not only do I get a great deal fewer annoyances interrupting my browsing, but it also cuts out a lot of web advertising (the AdBlock extension makes my browser drag when fully loaded with filters)
Re:NoScript (Score:2, Informative)
I tried the "proof of concept" here... (Score:2, Informative)
But the Firefox "NoScript" extension completely blocked it until I told it to temporarily allow the host site.
Re:Simple fix to an obvious problem (Score:5, Informative)
Re:How's this news? (Score:1, Informative)
Removing an attack vector is pseudo security? Are you for real?
I suppose you think that the latest firefox only fixed "pseudo security" vulns?
http://www.mozilla.org/projects/security/known-vu
I count 12, all of which would be prevented by disabling javascript.
Corporate users need access to departmental servers, you can either disable script, deny outright or sandbox their web access via a VM. It's firewalls and vlans that have become pseudo security once an attacker has compromised a workstation.
Re:Doesn't work that way with NoScript (Score:2, Informative)
You just described a whitelist.
His TRANSACTION was sent off elsewhere, to another site, and because THAT site hadn't been whitelisted, he didn't get an acknowlegement that his payment had been accepted.
I know you no-script fanboys can't stand the idea that your favorite tool might not be perfect for everyone, everywhere, all the time, but learn to read before spewing your fanboy-ism.
Re:NoScript (Score:1, Informative)
Comment removed (Score:5, Informative)
Re:Feature creep? (Score:2, Informative)
Re:A solution to this problem. (Score:3, Informative)