JavaScript - Extremely dangerous attack tool
Security experts have discovered a way to use JavaScript to map home or business networks and attack servers and devices that can be connected.
Malicious JavaScript codes can be embedded in a web page. Every time this site is browsed in the browser type, the code will silently run without giving warnings to users.
Experts say that the malicious code types above can completely overcome all firewall applications because it is implemented via web browser - the application is completely legal in the eyes of the wall application. fire.
" We have found a technique to scan an entire network and identify all possible web devices. That technique also allows us to send commands or attack those devices too ," Billy Hoffman, a leading engineer at SPI Dynamics, said. " This technique can also scan network-protected networks - such as corporate networks, for example ."
If an attack uses the aforementioned technique, it can cause significant adverse effects. For example, the attack scans the user's home network, detects a type of network router product (router), sends commands to enable the wireless network feature and disables all code features. chemical. Or an enterprise network might be mapped and hacked. However, these attacks, if detected, appear to be the attack taken from the company's internal network itself.
"Your browser can absolutely be used to attack the intranet ," said Jeremiah Grossman, chief technology engineer of WhiteHat Security.
Both SPI Dynamics and WhiteHat Security detect the above mentioned JavaScript attack techniques at the same time. It is expected that the two companies will jointly announce this technique at the Black Hat Conference to be held next week.
Still open?
JavaScript has been applied on the web for about a decade. The scripting language is mainly applied on websites and is becoming more and more popular thanks to a programming technique called AJAX (Asynchronous XML and XML). AJAX technology helps increase the interactivity of web pages but there are also security risks similar to JavaScript.
Meanwhile, malicious JavaScript scripts have been known for a long time, but security experts have little interest in it, Fyodor Vaskovich - creator of port scanning tool, hunts famous Nmap errors - said. .
" Often the kind of attacks mentioned above are of little interest ," Vaskovich said. " But a key issue in the security flaw discovered by SPI Dynamics is that it is very difficult to fix it. Fixing it may damage web applications. That's why we might need it. years to be overcome ".
There have been many attempts to program a network scanning tool with JavaScript. But there is no advanced tool like the one given by SPI Dynamics, Vaskovich said. " SPI Dynamics deserves praise when it comes to the above attack technique. "
There is no solution yet
When operating, the malicious JavaScript code will first determine the PC's internal address. Then we will use standard JavaScript commands and objects to perform internal network scans for web servers. It could really be web servers or devices such as routers, printers, IP phones or other devices, network applications with web interfaces.
The JavaScript script will continue to determine if the PC has an IP address by sending a "PING" command through JavaScript's "IMAGINE" object. The next step is to determine which types of servers are running by searching for image files that are usually saved in standard folders.
A malicious JavaScript code can be stored on the attacker's website. An attack like this can hide under trusted sites thanks to the exploitation of cross-site scripting errors (cross-site scripting). Companies with names like Google, Microsoft or eBay used to spend a lot of effort to fix them. Earlier this week, Nestcape also had to overcome a similar security error.
With this type of attack technique, very few individual users can be protected. The burden has now fallen on web developers to ensure safety for users and web servers. Some security software is able to detect malicious JavaScript snippets, but only the code used in surface attacks. But an implicit attack is like on the application that it also gave up.
Recommendations are given to server administrators. Server and site administrators should fix all errors of inter-scripting attacks and carry out JavaScript user authentication. Users should disable the browser's JavaScript feature.
Hoang Dung
- Javascript code 'penetrates' all browsers that are revealed
- Hacker offered to sell a network attack tool kit
- Demonstrate the maliciousness of JavaScript
- The first Web 2.0 security flaw was revealed
- JavaScript hijacking - Web 2.0 vulnerability
- Windows threatening Kodak software error
- Symantec integrates a zero-day anti-attack tool into the application
- Microsoft & Mozilla: JavaScript error is not too dangerous
- RSS can be used as an attack tool
- A new dangerous network spy tool appears
- After the full moon, the lion attacks more people
- The world's first human genome