Hacking Intranet Websites from the Outside

A demonstration at the 2007 RSA Conference shows how internal networks can be just as vulnerable to browser attacks as external networks.

CNET Networks

Jeremiah Grossman, CTO of White Security, presented a talk about attacking Intranet networks, the networks inside an enterprise or home. He did not use Ajax, a Web 2.0 technology that lends itself to special kinds of abuse, but pure JavaScript. In several live demonstrations, Grossman showed how it was possible, by appending the URL in a victim's browser with a call to remotely hosted JavaScript to see a victim's browser history or learn an internal IP address. With such information, he was then able to scan the internal network and locate any valid servers operating inside the corporate firewall. He showed how an attacker could mask all this by creating a simple iframe over the legitimate browser screen, so the victim could use the browser to surf the Net, unaware that JavaScript was running in the background. For fun, the attacker could send messages to the victim that would appear as alert dialog boxes.

Cross site scripting is not new; Billy Hoffman talked about these kinds of attacks at last summer's Black Hat Briefings. What is new is the ability to hack into someone's internal network via unlikely sources, such as a Web-enabled printer, or even a Web-enabled UPS strip. Grossman recommends that users be suspicious of long URLs and when in doubt type it out. Further, he points out that since there is no malware associated with these attacks, antivirus and other software solutions won't work. He uses a secure browser, like Firefox, and adds there are plug-ins such as the Netcraft toolbar and the NoScript extension which can further block these attacks. A more drastic approach would be to disable Java, JavSscript, and ActiveX, but doing so could reduce the functionality on some Web sites.

About the author

    As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.



    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    CNET's giving away a 3D printer

    Enter for a chance to win* the MakerBot Replicator 3D Printer and all the supplies you need to get started.