JavaScript opens doors to browser-based attacks

Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."

A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

JavaScript, AJAX and the Web
JavaScript has been around for about a decade. The scripting programming language is used on Web sites and is increasingly popular in recent years thanks to a programming technique known as AJAX--Asynchronous JavaScript and XML--that makes sites more interactive. AJAX has its own share of security pitfalls.

While malicious JavaScript has been possible for a long time, security researchers have not focused much on it, said Fyodor Vaskovich, creator of the popular Nmap network port scanning tool. Instead, bug hunters have been focused on finding Web browser flaws that allow for a quicker and simpler PC hijack, he said.

"There has been little motivation to explore side-channel attacks such as this one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."

There have been similar attempts to craft JavaScript-based network scanners, but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics deserves credit for a clever attack vector and a solid demonstration of the issue. Their method of fingerprinting servers by checking for default image paths and names is slick."

When run, the JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.

"Everything has a Web server these days," Grossman said.

Pings from the host
The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives, according to a SPI Dynamics paper.

A malicious JavaScript could be hosted on an attacker's site, but an attack could also lurk on a trusted Web site by exploiting a common flaw known as cross-site scripting. Big-name Web companies including Google, Microsoft and eBay have had to plug such holes. Earlier this week AOL's Netscape.com fixed such a flaw that let apparent fans of rival Digg.com plant JavaScript on the Netscape Web site.

At BlackHat, Grossman is slated to demonstrate one attack. "We will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers," he said. "As we're attacking the intranet using the browser, we're taking complete control over the browser."

There is little a PC user can do in terms of protection. The burden largely rests on Web site developers to make sure their users and servers stay safe, experts said. Some PC security software will detect malicious JavaScript, but typically only after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) to block the attack.

"All our protection recommendations are server-side," Grossman said. Site operators should fix cross-site scripting flaws and validate any user-submitted JavaScript. "The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it," he said.

Also, if you suspect something fishy is going on, surfing to a different Web page or shutting down your browser will likely stop the JavaScript.

Attacks aren't widespread, Grossman said. "JavaScript malware is still cutting-edge, and nobody really knows what you can do with it," he said. "Liken it to the early days of an e-mail virus--that's where we're at now. I think we're going to see (many) more attacks."

[emancipated]

too bad, oh well

Disappointed, not surprised. Item provides weekend reading material.

[superdave132]

limited user mode

would running in limited user mode prevent such attacks?

[umbrae]

No...

Even a limited user can run javascript. The only limited access that would avoid this would be one that does not allow you to surf the internet, or logon to the computer at all.

[OneWithTech]

Thank you for confirming...

....what I have suspected and came to learn of before this article was released. And if you all think that is the only JavaScript manipulation attack that can be mustered up just wait.

I have been studying JavaScript extensively as part of my Web Development regime and am finding more and more way's to manipulate it for evil than for good! And you though cookies were harmless!

J Gund
Tech01
www.tech01.net

[Anysia]

NoScript Extension w/ Firefox

Totally disabling JavaScript won't work but you can pick what sites/sources to allow JavaScript. Guess it's not just an extension to speed up surfing and blocking some annoying ads.

[nrlz]

extension reveals lacks in Firefox?

Think about it. If Noscript really improves security, it would have long since been included into Firefox. The Anti-Phishing extension by Google, that first debuted a couple of months ago, has already been selected for inclusion into Firefox 2.0. This either shows that Noscript is not all it's cracked up to be or Firefox programmers really don't know the first thing about security.

[brodda2]

Why Use a MacBook?

Are they suggesting that OS-X machines are vunerable to Java-
script attacks or was that just a poor choice on the graphic
artist's part?

[aclottmann]

Why not?

From the story, it seems that all operating systems are vulnerable
to this kind of attack. All that's required is that the user has
JavaScript enabled on their browser. I'm sure that the choice of the
MacBook in the graphic was only because it looks cool, not because
Apple machines are any more or less affected by these kinds of
attacks than anyone else.

[MaxiSteel]

A change is needed

This is very scary. I think that the entire methode of web browesing should be re-engineered as in IPV6 for communications, to be become a trusted application.

Users are having to accept patches to problems when they are wanting REAL solutions.

Society actualy cares, but is not able to cope with the ever increasing speed of tech and lack of knowledge of the same.

Maxi

[Jackson Cracker]

Turning off Javascript isn't that bad

I've found that a number of sites, including some shopping
sites, work just fine without Javascript. I think it makes
more sense to have Javascript turned off by default and then
only activate it when really necessary.

[wbenton]

Java is a script and known to be vulnerable

That said... why do SO MANY pages on the internet require Javascript to be enabled to browse them.

If you want to view a link... it can be done in HTML... no need to use Javascript... but many do.

Javascript looses readers... especially those like me because I don't allow javascript for just anybody. There must be a reason.

But if that reason is because some bloody javascript crazy programmer decided to use javascript rather than just plain HTML... then I don't view that site and I also voice my opinion against that site to all of my buddies.

Javascript needs to be used with care... only when required... not just when desired.

And if you haven't figured it out yet... I block ALL javascript by default. And must have sound reasoning why to unblock it.

Sadly however... much of the internet doesn't understand the vulnerabilites of it and thus programs javascript for everything.

Walt

[mng2000]

Don't blame Javascript, blame its abuser

Javascript was invented with good intention. It allows developers to provide users with better browsing experience. Just like anything else in this world, abusers will find a way to do bad things with great inventions. Case in point: a knife. Should we stop producing kitchen knives because some bad people may use them to hurt someone? Or should we find other ways to prevent bad people from using a knife (like lock them up)?

Personally, my solution would be to improve both Javascript and browsers to keep abusers from doing any harm rather than disabling Javascript.

Hey, you drive to work, don't you? Would you rather walk to work instead because it's better for the environment? Or would you rather drive a more environment-friendly car such as a hybrid?

[jbrunken]

Wrong...

I think you need to educate yourself a bit more on the reasons for using javascript before you condem web programmers for using it.

There are many many reasons for using javascript that have nothing that make it compelling to use, not to mention that it's a core piece of most of the main stream web development platforms.

I love how web users continually demonize technologies (usually based on a small amount of bad press) without any true understanding of what benefits those technologies provide. First it was "evil cookies", now it's "evil javascript".

Could the web be built without things like javascript and cookies? Absolutely, but it would be a lot less functional and sadly the same group of people would probably be the ones to complain about how non-user friendly many sites would become.

I'd prefer to keep things in perspecitve and not throw the baby out with the bathwater...

[wadechandler]

I think we should use the correct name [Java is not the same as JavaScript]

This is a common mistype which simply leads people down yet another path of techno bash and confusion. This message is talking about JavaScript and not Java just for the record.

[maxwis]

First ActiveX, Now This

So we dumped MS IE in favor of Firefox or Opera to browse more securely. We eschewed ActiveX because it was a threat to security. Now we find out that Javascript, which is even more pervasive than ActiveX, is just as bad. Sure, you can disable Javascript, but then almost every site you visit is going to fail in some way. Good luck trying to checkout from online shopping as your cart crashes and burns. Also, as the CNET story points out, even if you only allow Javascript on trusted sites, if those sites are hacked due to poor security then you are at risk too. This seems a totally unworkable solution. I think what is needed is an Internet appliance, akin to a hardware firewall, that uses a limited, hardened OS. All web browsing would be done through a proxy that communicates with the appliance.

[deko]

Keeps programmers employed

JavaScript is a staple of the Internet, that much is sure. I couldn't even log in to post this reply without JavaScript enabled.

Seems to me a solution needs to be built into the browser rather than something external. For example, anytime a script attempts to do anything outside of a pre-defined security context, a confirmation dialog is received. This way if you want a script to log into your broadband router and turn off the firewall, you can let it. Perhaps the browser could also flag a site a "unsafe" if it trys anything funny.

Users of Windows Live OneCare are familiar with these kind of alerts - when an application attempts to access the Internet. Why not apply the same logic to the browser?

How difficult can it be to put a fence around a script (letting the user define its boundries) and require a user confirmation when action is initiated beyond that fence?

[mycall0]

VMware

Here is one powerful solution: use free VMware and one of the free virtual machines (http://www.vmware.com/vmtn/appliances/) to do your websurfing. Even if it is 0wn3d, the virtual networking will sandbox the scanning of your real network.

[ralfthedog]

Will not work

VMware will protect against attacks to your computer. It will not prevent your computer from sending stuff out. This story is about an exploit that lets java mess with other devices on your network (Turn off the firwall built into your router, get your DSL modem to start dialing 911, sutff like that.)

[umbrae]

The TRUTH about Firefox

Disabling JavaScript in Firefox does, in fact, block this request. I have no experience with the NOSCRIPT "3rd Party" extension for Javascript, but this is a "3rd Party" tool and does not reflect upon any of the "core" Firefox development team. Regardless of what Google tools Mozilla decides to include in 2.0.

Please understand how a browser works and is developed before you lay claims to what they do and do not know.

Once again, you can uncheck "Enable Javascript" in Firefox and it will block this exploit.