Security experts have recently discovered a method using JavaScript to map out the network systems of homes or businesses and attack servers and connectable devices.
Malicious JavaScript code can be embedded in a webpage. Each time the webpage is browsed in various browsers, this code runs silently without alerting the user.
Researchers indicate that these types of malicious code can easily bypass any firewall applications since they are executed through the web browser—a completely legitimate application in the eyes of the firewall.
“We have found a technique to scan an entire network system and identify all web-capable devices. This technique also allows us to send commands or directly attack those devices,” said Billy Hoffman, a leading engineer at SPI Dynamics. “This technique can also scan network systems protected by firewalls—such as those of businesses.”
If an attack using this technique is successful, it could have significant detrimental effects. For example, the attack might scan a user’s home network, identify a specific type of router, send commands to activate the wireless feature while disabling all encryption features. Alternatively, a business network could be thoroughly mapped and attacked. However, if these attacks are detected, they could appear to originate from within the company’s internal network.
“Your browser can indeed be used to attack internal networks,” affirmed Jeremiah Grossman, Chief Technology Officer of WhiteHat Security.
Both SPI Dynamics and WhiteHat Security discovered the JavaScript attack technique simultaneously. They are expected to jointly announce this technique at the upcoming Black Hat Conference next week.
Still Open-Ended?
JavaScript has been used on the web for about a decade. This scripting language is primarily applied on websites and has become increasingly popular due to a programming technique known as AJAX (Asynchronous JavaScript and XML). AJAX enhances the interactivity of web pages but also poses security risks similar to JavaScript.
Meanwhile, malicious JavaScript code has been known for some time, but security experts have paid little attention to it, according to Fyodor Vaskovich, the creator of the famous port scanning and vulnerability discovery tool Nmap.
“Typically, attacks like the one mentioned above receive very little attention,” Vaskovich said. “However, a key issue with the security vulnerability discovered by SPI Dynamics is that it is very difficult to fix. Addressing it could damage web applications. Thus, we may need many more years to resolve this.”
There have been many efforts to program a network scanning tool using JavaScript. But no tool has been as advanced as the example provided by SPI Dynamics, Vaskovich asserted. “SPI Dynamics deserves praise for discovering this attack technique.”
No Fix Available Yet
When executed, the malicious JavaScript initially identifies the internal IP address of the PC. It then uses standard JavaScript commands and objects to scan the internal network for web servers. These could genuinely be web servers or devices like routers, printers, IP phones, or other network devices and applications with web interfaces.
The JavaScript code will continue to check if the PC has an IP address by sending a “PING” command through the JavaScript “IMAGINE” object. The next step is to determine what types of servers are running by searching for image files commonly stored in standard directories.
A piece of malicious JavaScript can be hosted on the attacker’s website. An attack of this nature can disguise itself under reputable websites by exploiting cross-site scripting vulnerabilities. Well-known companies like Google, Microsoft, and eBay have invested considerable effort to fix these security flaws. Earlier this week, Netscape also had to address a similar security issue.
With this type of attack technique, very few individual users can be protected. The burden now falls on web developers to ensure the safety of users and web servers. Some security software can detect malicious JavaScript code, but only the code used in surface-level attacks. Attacks like the covert type mentioned are likely to evade such applications.
Recommendations are issued for server administrators. Server and website administrators should fix all cross-site scripting vulnerabilities and implement user JavaScript authentication. Users should consider disabling the JavaScript feature in their browsers.
Hoàng Dũng
