JavaScript opens doors to browser-based attacks

Malicious code embedded in Web site can let miscreant map a home or corporate network, attack connected devices.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
4 min read
Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."

A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

JavaScript, AJAX and the Web
JavaScript has been around for about a decade. The scripting programming language is used on Web sites and is increasingly popular in recent years thanks to a programming technique known as AJAX--Asynchronous JavaScript and XML--that makes sites more interactive. AJAX has its own share of security pitfalls.

While malicious JavaScript has been possible for a long time, security researchers have not focused much on it, said Fyodor Vaskovich, creator of the popular Nmap network port scanning tool. Instead, bug hunters have been focused on finding Web browser flaws that allow for a quicker and simpler PC hijack, he said.

"There has been little motivation to explore side-channel attacks such as this one," Vaskovich said. "But a key advantage of the SPI Dynamics vulnerability is that it is difficult to fix without breaking many Web applications. So it may be around for years to come."

There have been similar attempts to craft JavaScript-based network scanners, but none as advanced as the SPI Dynamics example, Vaskovich said. "SPI Dynamics deserves credit for a clever attack vector and a solid demonstration of the issue. Their method of fingerprinting servers by checking for default image paths and names is slick."

When run, the JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.

"Everything has a Web server these days," Grossman said.

Pings from the host
The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives, according to a SPI Dynamics paper.

A malicious JavaScript could be hosted on an attacker's site, but an attack could also lurk on a trusted Web site by exploiting a common flaw known as cross-site scripting. Big-name Web companies including Google, Microsoft and eBay have had to plug such holes. Earlier this week AOL's Netscape.com fixed such a flaw that let apparent fans of rival Digg.com plant JavaScript on the Netscape Web site.

At BlackHat, Grossman is slated to demonstrate one attack. "We will be showing off how to get the internal IP address, how to scan internal networks, how to fingerprint and how to enter DSL routers," he said. "As we're attacking the intranet using the browser, we're taking complete control over the browser."

There is little a PC user can do in terms of protection. The burden largely rests on Web site developers to make sure their users and servers stay safe, experts said. Some PC security software will detect malicious JavaScript, but typically only after an attack has surfaced, because they rely on attack signatures (the "fingerprint" of the threat) to block the attack.

"All our protection recommendations are server-side," Grossman said. Site operators should fix cross-site scripting flaws and validate any user-submitted JavaScript. "The users really are at the mercy of the Web sites they visit. Users could turn off JavaScript, which really isn't a solution because so many Web sites rely on it," he said.

Also, if you suspect something fishy is going on, surfing to a different Web page or shutting down your browser will likely stop the JavaScript.

Attacks aren't widespread, Grossman said. "JavaScript malware is still cutting-edge, and nobody really knows what you can do with it," he said. "Liken it to the early days of an e-mail virus--that's where we're at now. I think we're going to see (many) more attacks."