Hacking Intranet Websites from the Outside

Jeremiah Grossman, CTO of White Security, presented a talk about attacking Intranet networks, the networks inside an enterprise or home. He did not use Ajax, a Web 2.0 technology that lends itself to special kinds of abuse, but pure JavaScript. In several live demonstrations, Grossman showed how it was possible, by appending the URL in a victim's browser with a call to remotely hosted JavaScript to see a victim's browser history or learn an internal IP address. With such information, he was then able to scan the internal network and locate any valid servers operating inside the corporate firewall. He showed how an attacker could mask all this by creating a simple iframe over the legitimate browser screen, so the victim could use the browser to surf the Net, unaware that JavaScript was running in the background. For fun, the attacker could send messages to the victim that would appear as alert dialog boxes.

Cross site scripting is not new; Billy Hoffman talked about these kinds of attacks at last summer's Black Hat Briefings. What is new is the ability to hack into someone's internal network via unlikely sources, such as a Web-enabled printer, or even a Web-enabled UPS strip. Grossman recommends that users be suspicious of long URLs and when in doubt type it out. Further, he points out that since there is no malware associated with these attacks, antivirus and other software solutions won't work. He uses a secure browser, like Firefox, and adds there are plug-ins such as the Netcraft toolbar and the NoScript extension which can further block these attacks. A more drastic approach would be to disable Java, JavSscript, and ActiveX, but doing so could reduce the functionality on some Web sites.