JavaScript Malware Open The Door to the Intranet

An anonymous reader writes "C|Net is reporting that JavaScript malware is opening the door for hackers to attack internal networks. During the Black Hat Briefings conference Jeremiah Grossman (CTO, WhiteHat Security) '...will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers ... As we're attacking the intranet using the browser, we're taking complete control over the browser.' According the the article, the presence of cross-site scripting vulnerabilities (XSS) dramatically increase the possible damage that can be caused. The issue also not which-browser-is-more-secure, as all major browsers are equally at risk. Grossman says 'The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it.'"

NoScript

[dvice_null]

Why can't users just install Firefox and NoScript extension for it. Then Javascript will be disabled by default, but user can whitelist the sites where Javascript should be enabled. Problem solved.

Re:NoScript

[rdwald]

In addition to blocking JavaScript on non-whitelisted sites, NoScript also prevents Flash and Java from loading unless you specifically allow them on a case-by-case basis. All of those stupid Flash adds will be gone, but you can still view everything you want to! It's a great extension.

Re:NoScript

[Anonymous Coward]

You missed what they are saying. Even if you whitelist a website, that site can be crossscripted and become infected.
RTFA.

NoScript extension could be a saviour

[CdBee]

For about a year now I routinely install a whitelisting firefox extension called NoScript [noscript.net]
It blocks javascript per-site until I choose to whitelist the site: Not only do I get a great deal fewer annoyances interrupting my browsing, but it also cuts out a lot of web advertising (the AdBlock extension makes my browser drag when fully loaded with filters)

Re:NoScript

[Asztal_]

Funnily enough, Internet Explorer actually warns you when an untrusted site links to a trusted one. I don't know of any other browsers which do this :)

I tried the "proof of concept" here...

[John.Thompson]

And it found some, but not all the web-enabled devices on my network. It found my web server and correctly identified it as Apache, found the squid proxy running on the gateway/firewall machine (identified as "unknown"), but failed to find my wireless router (through which it had to pass in order to see the rest of my network), or my print server. It also identified as "exists" several IP addresses on which no machine or device exists.

But the Firefox "NoScript" extension completely blocked it until I told it to temporarily allow the host site.

Re:Simple fix to an obvious problem

[tomjen]

It has the IP address of the NAT router - not, not, not the internal ip of the computer making the request through the NAT router.

Re:How's this news?

[Anonymous Coward]

> pseudo security measures

Removing an attack vector is pseudo security? Are you for real?

I suppose you think that the latest firefox only fixed "pseudo security" vulns?

http://www.mozilla.org/projects/security/known-vul nerabilities.html [mozilla.org]

I count 12, all of which would be prevented by disabling javascript.

Corporate users need access to departmental servers, you can either disable script, deny outright or sandbox their web access via a VM. It's firewalls and vlans that have become pseudo security once an attacker has compromised a workstation.

Re:Doesn't work that way with NoScript

[fotbr]

If you're at a site that you need Javascript to run, the little icon down in the lower right hand corner will have a pop-up menu to enable Javascript for that site you're on. You can have it enabled just for that session or permanently.
You just described a whitelist.

His TRANSACTION was sent off elsewhere, to another site, and because THAT site hadn't been whitelisted, he didn't get an acknowlegement that his payment had been accepted.

I know you no-script fanboys can't stand the idea that your favorite tool might not be perfect for everyone, everywhere, all the time, but learn to read before spewing your fanboy-ism.

Re:NoScript

[Anonymous Coward]

Other browsers assume everything is untrusted. You can agrue either way wether that is a good or bad idea.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Feature creep?

[metallidrone]

Perhaps it is because NoScript breaks FlashBlock (not sure about AdBlock). I don't know if this is still the case, since I removed it (FlashBlock) when I noticed that NoScript was preventing it from working.

Re:A solution to this problem.

[aztracker1]

And for your intranet server, that *IS* likely to need scripting, ex: an internal wiki, or bulletin board that uses one of the fancy html editors?