[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Date: Thu, 27 Jul 2006 11:47:49 -0400

------_=_NextPart_001_01C6B194.0348EEF8
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

Folks,

=20

SPI Labs has discovered a technique to scan a network, fingerprint all
the web-enabled devices it finds, and send attacks or commands to those
devices. This technique can scan networks protected behind firewalls
such as corporate networks. All the code to do this is written in
JavaScript and uses parts of the standard that are almost 10 years old.
Accordingly, the code can execute in nearly any web browser on nearly
any platform when a user simply opens at a webpage that contains the
JavaScript. Since this is not exploiting any browser bug or
vulnerability, there is no patch or defense for the end user other than
turning off JavaScript support in the browser. The code can be part of a
Cross Site Scripting (XSS) attack payload, increasing the damage XSS can
do.

=20

SPI has published a whitepaper about this technique and has also release
proof  of concept code that will portscan a given range of IP's and
fingerprint Microsoft IIS and Apache boxes.

=20

Whitepaper:
http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html

Proof of Concept: http://www.spidynamics.com/spilabs/js-port-scan/

=20

Have fun,

Billy Hoffman

--

Lead R&D Engineer

SPI Dynamics - http://www.spidynamics.com <http://www.spidynamics.com/>=20

Phone: 678-781-4800

Direct: 678-781-4845


------_=_NextPart_001_01C6B194.0348EEF8
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
	{margin:0in;
	margin-bottom:.0001pt;
	line-height:20.0pt;
	font-size:11.0pt;
	font-family:Verdana;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
span.BodyTextChar
	{font-family:Verdana;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Folks,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>SPI Labs has discovered a technique to scan a =
network,
fingerprint all the web-enabled devices it finds, and send attacks or =
commands
to those devices. This technique can scan networks protected behind =
firewalls such
as corporate networks. All the code to do this is written in JavaScript =
and
uses parts of the standard that are almost 10 years old. Accordingly, =
the code
can execute in nearly any web browser on nearly any platform when a user =
simply
opens at a webpage that contains the JavaScript. Since this is not =
exploiting
any browser bug or vulnerability, there is no patch or defense for the =
end user
other than turning off JavaScript support in the browser. The code can =
be part
of a Cross Site Scripting (XSS) attack payload, increasing the damage =
XSS can
do.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>SPI has published a whitepaper about this technique =
and has
also release proof &nbsp;of concept code that will portscan a given =
range of IP&#8217;s
and fingerprint Microsoft IIS and Apache =
boxes.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Whitepaper: <a
href=3D"http://www.spidynamics.com/spilabs/education/articles/JS-portscan=
.html">http://www.spidynamics.com/spilabs/education/articles/JS-portscan.=
html</a><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Proof of Concept: <a
href=3D"http://www.spidynamics.com/spilabs/js-port-scan/";>http://www.spid=
ynamics.com/spilabs/js-port-scan/</a><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Have fun,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Billy Hoffman<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>--<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Lead R&amp;D Engineer<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>SPI Dynamics &#8211; <a =
href=3D"http://www.spidynamics.com/";>http://www.spidynamics.com</a><o:p><=
/o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Phone: 678-781-4800<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Direct: 678-781-4845<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C6B194.0348EEF8--

Follow-Ups:
- Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
  - From: RSnake
- Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
  - From: Amit Klein (AKsecurity)

Prev by Date: [WEB SECURITY] Netscape.com persistent XSS attack
Next by Date: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Previous by thread: [WEB SECURITY] Netscape.com persistent XSS attack
Next by thread: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site