Site Archive (Complete)
ABOUT US | CONTACT | ADVERTISE | SUBSCRIBE | SOURCE CODE | CURRENT PRINT ISSUE | NEWSLETTERS | RESOURCES | BLOGS | PODCASTS | CAREERS
Security Blog: Yet Another Malicious Attack Technique
Security
Blog Home | Department Home | More Blogs |
Blog Home | Department Home | More Blogs |
EYE ON SECURITY

The World of Secure Development.

by Kevin Carlson
LOCK IT UP

... Keys to Better Security

by Neil Rerup
July 27, 2006

Yet Another Malicious Attack Technique

A malicious technique for scanning a network, fingerprinting all Web-enabled devices found, and sending attacks or commands to those devices has been uncovered by SPI Labs.

This technique can scan networks protected behind firewalls such as corporate networks. All the code to do this is written in JavaScript and uses parts of the standard that are almost ten years old. Accordingly, the code can execute in nearly any Web browser on nearly any platform when a user opens a Webpage that contains the JavaScript. Since this is not exploiting any browser bug or vulnerability, there is no patch or defense for end users, other than turning off JavaScript support in the browser.

The code can be part of a Cross-Site Scripting (XSS) attack payload, thereby increasing the potential damage caused by XSS. These vulnerabilities are extremely common and large companies like MySpace.com and Yahoo.com have had high-profile XSS attacks that affected millions of users in the past year.

"Web application vulnerabilities, particularly cross-site scripting, are most frequently viewed by security professionals as a nuisance. However, SPI Labs has been closely tracking the escalating damage that these vulnerabilities can cause as they become mainstream," said Billy Hoffman, Lead Research Engineer, SPI Labs. "This potentially devastating JavaScript attack, along with the growing exploitation of Cross-Site Scripting, demonstrates that these vulnerabilities should no longer be last in line to be addressed. There is no such thing as a harmless XSS vulnerability. "

To help reduce the risk of port scans with JavaScript, SPI Labs recommends that you:

  • Have your Web applications assessed for security vulnerabilities immediately, and continue to do so on a frequent periodic basis.
  • Ensure that all input is validated before being processed.
  • Use whitelisting rather than blacklisting for validation. Whitelisting involves accepting what you know to be good data, while blacklisting uses a list of data not to allow. Looking for known, valid, and safe input is much easier than looking for known malicious or dangerous input. For example, you know that a U.S. ZIP code should always be five numbers; whitelisting the zip code input means accepting only five numbers and nothing else.
  • Add network Intrusion Detection System (IDS) rules for scanning behavior.
For more information, see this detailed briefing on this exploit. A proof-of-concept demonstration is also available.

Posted by Jon Erickson at 01:52 PM  Permalink



 
INFO-LINK


| All Feeds
© 2008 Think Services, Privacy Policy, Terms of Service, United Business Media LLC
Comments about the web site: webmaster@ddj.com
Related Sites: DotNetJunkies, SD Expo, SqlJunkies