Hacking Intranet Websites from the Outside
(Credit:
CNET Networks)
Jeremiah Grossman, CTO of White Security, presented a talk about attacking Intranet networks, the networks inside an enterprise or home. He did not use Ajax, a Web 2.0 technology that lends itself to special kinds of abuse, but pure JavaScript. In several live demonstrations, Grossman showed how it was possible, by appending the URL in a victim's browser with a call to remotely hosted JavaScript to see a victim's browser history or learn an internal IP address. With such information, he was then able to scan the internal network and locate any valid servers operating inside the corporate firewall. He showed how an attacker could mask all this by creating a simple iframe over the legitimate browser screen, so the victim could use the browser to surf the Net, unaware that JavaScript was running in the background. For fun, the attacker could send messages to the victim that would appear as alert dialog boxes.
Cross site scripting is not new; Billy Hoffman talked about these kinds of attacks at last summer's Black Hat Briefings. What is new is the ability to hack into someone's internal network via unlikely sources, such as a Web-enabled printer, or even a Web-enabled UPS strip. Grossman recommends that users be suspicious of long URLs and when in doubt type it out. Further, he points out that since there is no malware associated with these attacks, antivirus and other software solutions won't work. He uses a secure browser, like Firefox, and adds there are plug-ins such as the Netcraft toolbar and the NoScript extension which can further block these attacks. A more drastic approach would be to disable Java, JavSscript, and ActiveX, but doing so could reduce the functionality on some Web sites.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
Why doesn't he use an equally secure and more compatible and faster browser like IE7?
Why doesn't he use an equally secure and more compatible and faster browser like IE7?
read this site to learn how "secure" firefox really is; this is only one of hundreds of sites that list the exploits.
http://lcamtuf.coredump.cx/
read this site to learn how "secure" firefox really is; this is only one of hundreds of sites that list the exploits.
http://lcamtuf.coredump.cx/
- by Website_Designer August 31, 2009 10:26 PM PDT
- Hack in through printer printers and ups strips? Is there anything that cannot be hacked into? Damn hackers.
- Like this Reply to this comment
-
(5 Comments)--------------------------
http://www.jtimages.com