Hacking Intranet Websites from the Outside
A demonstration at the 2007 RSA Conference shows how internal networks can be just as vulnerable to browser attacks as external networks.
Cross site scripting is not new; Billy Hoffman talked about these kinds of attacks at last summer's Black Hat Briefings. What is new is the ability to hack into someone's internal network via unlikely sources, such as a Web-enabled printer, or even a Web-enabled UPS strip. Grossman recommends that users be suspicious of long URLs and when in doubt type it out. Further, he points out that since there is no malware associated with these attacks, antivirus and other software solutions won't work. He uses a secure browser, like Firefox, and adds there are plug-ins such as the Netcraft toolbar and the NoScript extension which can further block these attacks. A more drastic approach would be to disable Java, JavSscript, and ActiveX, but doing so could reduce the functionality on some Web sites.